Despite the ubiquity of the Trusted Platform Module, holdups exist and adoption remains slow. Deb Radcliff reports.
In 2008, an unencrypted laptop went missing from the car of a worker at Barnabas Health, New Jersey's largest health care system. And, although fewer than 2,000 records were exposed, the health care provider subsequently made self-encrypting drive (SED), a type of hardware-based encryption, a mandatory part of its mobile device upgrade process.
“Everyone who gets a new laptop must have SED enabled,” says Hussein Syed (below), director of IT security at Barnabas Health, which consists of 4,600 physicians, seven medical facilities and two business offices. “We don't want to incur another incident because someone left a document on a device and then lost it.”
The encryption cannot be tampered with by users, and access is easier because assigned users now need only one master login to access all their provisioned resources (via Active Directory). SED takes only minutes to initially encrypt the full contents of the hard drive, compared to 36 hours using an older, software-based disk encryption. And, using a third-party encryption management service from Wave Systems, machines can be provisioned just as quickly, says Syed.
Now, with SEDs present in virtually every one of its 1,280-issued laptops, Saint Barnabas is turning its attention to SED's companion technology, Trusted Platform Modules, or TPMs.
TPM, which began shipping in October with Windows 8 and the Windows 12 management server, has become ubiquitous. The specification integrates with other modules from The Trusted Computing Group (TCG) to support system integrity checks, disk encryption, key management and other functions at machine speed.
TCG, parent to both TPM and SED, claims there are more than a billion PCs, servers, embedded systems, network gear and other devices with TPM and/or SED functionality embedded in them. Yet, according to analysts, actual adoption of these technologies is difficult to measure and has been slow to catch on.
“I am surprised at the modest adoption of hardware roots of trust, in spite of the ubiquity of embedded TPMs in enterprise-class machines,” says Derek Brink, an analyst with Aberdeen Group, a Boston-based provider of intelligence research. “It seems a question of commitment and will, rather than waiting for the technology to be available and mature.”
In a comparison study Aberdeen published last June, 41 companies using SED experienced 50 percent fewer incidents and saved $80 per endpoint per year versus 81 companies that used other forms of disk encryption.