Solving the TPM Uptake Challenge

TPM is a device on the motherboard that stores keys and ensures the integrity of a given device. It verifies the identity of the device and of the user, and thus provides the root of trust upon which to base secure operating systems and applications. TPM-based applications include things like virtual smart cards, which provide an on-board authentication mechanism for signing into network resources and applications, with no password required.

They also provide data integrity for scenarios such as document signing and data confidentiality for tasks that require encryption.

Leendert VanDoorn, corporate fellow and vice president at AMD, pointed out that TPM is a necessary but small component to building a trusted system. “There’s a whole software stack that you have to build on top of it,” he said. “It impacts the firmware, the OS, the middleware, the bootstrap loaders, applications and libraries.”

If it sounds complex, that’s because it is. And the complexity has historically trickled into the user experience for TPM, becoming a gating factor for uptake.

For instance, in Windows 7, provisioning the TPM, known as Bitlocker, proved to be incredibly complex, according to Chris Hallum, senior product manager at Microsoft. Rather than being a transparent experience, users were originally required to configure something completely new and unfamiliar to them.

“To get the TPM working, a user needed to enable the TPM, then reboot, then go into a pre-boot screen and accept changes to a TPM module they’ve never heard of,” Hallum explained. “It was a very intimidating experience. They would just hit ‘cancel’ because they have no idea what it is that they’re being asked to do.” Windows 8 improves on the experience, with tools to manage the TPM, enable it remotely without a reboot and so on.

Another big obstacle to TPM adoption is the way it’s been rolled out into the market – to wit, it hasn’t been ubiquitous. For instance, marketing departments tended to use it as an upsell feature, which limited it to the high-end platforms. Windows includes Bitlocker only in the Pro and Enterprise versions of Windows, for instance. But VanDoorn noted that it’s awareness that’s needed, and in order for that to happen, it will have to be deployed to the breadth of the market, not just within the large commercial environment.

“Virtual smart cards could be big in e-commerce, and that’s a consumer use case,” he noted. “To have adoption, you need the applications to be there.”

With the ongoing consumerization of IT, that’s truer than ever. “What we’ve discovered about the enterprise role in innovation is that it isn’t very good at it,” said Steven Sprague, CEO at Wave Systems, an information security vendor that provides, among other things, cloud-based TPM applications. “Consumerization of technology is critical to adoption of new technology.”

He noted that it was executives asking IT to make their iPhones work on the company network that expanded the enterprise play for Apple; not IT telling the CEO that a new device now runs on the infrastructure.

“That has really affected the adoption of TPM,” said Sprague. “The consumer use cases weren’t there to show enterprises the real value proposition.”

For instance, with TPM enabled, a user simply logs into his or her PC, and the PC in turn logs into everything else, from applications to websites. “Users are screaming for no more passwords,” Sprague said. “There is huge consumer demand for this but poor integration by enterprises in using these advanced technologies that are already inside the box.”

However, despite the adoption challenges to date, TPM’s golden days are just getting started. For one thing, the evolving threat landscape will almost require it. “As black hats get more sophisticated, it’s become clear that you need to have hardware you can trust to really provide full security,” Hallum said. “It’s immutable and can’t be changed remotely or attacked directly in the same way as software can.”

VanDoorn added that as the mobile enterprise becomes commonplace and the bring-your-own-device trend continues to expand, the ability to identify devices securely becomes critical. That’s especially true in the machine-to-machine, Internet of Things era, where connected devices with sensors are becoming pervasive technology.

“There’s a whole set of services you can’t access if you can’t do the proper device authentication, so users will start to adopt this,” he said.

Also, the development and adoption of global industry standards will accelerate TPM deployments on the OEM front and help solve the ease-of-use issues that have been endemic in the past. Building to a common standard across devices, be they PC screens, mobile screens or just a sensor, and implementing the technology in a standard way that’s familiar to users across the board will bolster uptake (Wi-Fi presents a successful example of this). In many ways, manufacturers don’t have a choice: by 2015 Microsoft expects to make TPM inclusion a requirement for hardware certification. The company is also working to develop firmware-based TPM to get it at a cost that makes sense for smaller, less expensive devices, Hallum said.

What’s Hot on Infosecurity Magazine?