Delayed reaction

One thing holding up widespread adoption of TPM and SED is interoperability, according to users and analysts. Apple, Google and Microsoft all use different standards, not all of which support TPM, says Roger Kay, founder and president of the Massachusetts-based analyst firm Endpoint Technologies Associates (ETA). The other problem is key management, he adds.

“As with PKI encryption for the PC world, the problem is the certificate authority (CA),” he says. 

Most organizations will require a third-party intermediary, such as Wave Systems, which needs to interoperate with other CAs, say analysts. There will also be those with enterprise expertise in key management who will want to manage their own keys.

Rooting rootkits

To support enterprise key management and interoperability, the Trusted Computing Group is putting a lot of emphasis on Windows 8 endpoints, including built-in TPM supportable through Windows 12 server. TPM enhances support for SED and includes a pre-boot system integrity check that the accessing system's basic input/output system (BIOS) and registries haven't been changed from a pre-measured state. 

“TPM has mainly been used by a small segment of PC users to tie their Windows Bit Locker and other encryption keys to user devices,” says Steven Sprague, CEO of Lee, Mass.-based Wave Systems. “Now, these features are native.” 

Of all the features in TPM today, machine attestation – or the ability to boot up in safe mode, check the machine's integrity and remotely attest that its settings have not been changed – is the most important feature, says Neil Kittleson, Trusted Computing portfolio manager for the Commercial Solutions Center at the National Security Agency (NSA). 

Since the TCG's inception 10 years ago, the NSA has been heavily invested in using the nonprofit's technologies in its high assurance platform, or HAP.