Comment: Breaches Underscore Need for Device ID

Sprague says the decision to re-issue tokens on a case-by-case basis leaves the gate open to future attacks because RSA is simply reissuing the same technology that was compromised in the first place
Sprague says the decision to re-issue tokens on a case-by-case basis leaves the gate open to future attacks because RSA is simply reissuing the same technology that was compromised in the first place
Steven K. Sprague, Wave Systems
Steven K. Sprague, Wave Systems

High-profile network breaches have ticked off like clockwork this past spring, generating awkward headlines and costly amends for big names like Sony, PBS, Google and Citigroup. But none of these carried the implications of the double-header attack that first compromised RSA’s SecurID token technology and subsequently allowed hackers to gain unauthorized access to Lockheed Martin’s network, which relied on the tokens for security.

The consequences of these attacks, including the negative publicity, can have enormous impact on the business and reputation of the companies that were targeted. In many cases, ever tougher data protection laws require companies to publicly reveal any security breaches.

In response to the Lockheed Martin breach, RSA is contemplating plans to reissue some 40 million new SecurID tokens to its customers. Given the potential cost this would impose, RSA’s gesture would exemplify good business management in the face of a crisis, and likely stem the immediate risk to customers. But, ultimately, it leaves the gate open to future attacks because, in essence, the company is simply reissuing the same underlying technology that had been compromised in the first place.

The breach at RSA is only the most recent statistic illustrating that user-based authentication has its own security limitations and challenges. While user authentication is an essential layer to network security, it is no longer enough on its own.

Fortunately, the IT industry needn’t invent some radical new solution – a proven solution already exists. What the industry needs is a new paradigm, one in which strong network security derives from layers rather than a single point of defense.

There are many approaches to this new paradigm. But the shortest and simplest path is the addition of device identity as an independently managed layer for network access control.

The foundation of device identity is that only known devices – those authorized by the organization – are granted access to information and sensitive resources. Far from being a new or untested modality, device identification has long provided strong network security for cellular networks and cable providers. Thanks to the technology, both industries have virtually eliminated the once frequent illegitimate use and theft of their services.

On data networks, device identification has more typically focused on using Media Access Control (MAC) addresses and user credentials in software to identify a device on the network. But this is subject to security vulnerabilities because MAC addresses and software-based user credentials can be spoofed, so another device can claim the same MAC address, for example.

A better approach for device identification is through the use of the Trusted Platform Module (TPM), a cryptographic security chip integrated into a computer’s motherboard. Effectively a built-in token, the TPM chip was designed for creating and verifying strong device identities and ensuring only authorized access to networks.

More specifically, the TPM enables IT managers to create, sign and store authentication keys within a PC’s hardware, strongly binding the identity of the machine and its user to the device. Further, because keys are stored and protected within embedded hardware, they cannot be changed or stolen by malware.

TPMs are not an emerging or experimental technology. Leading vendors such as Dell, HP and Lenovo have been including the chips as a standard component on all business-class notebook and desktop computer lines for many years. Indeed, virtually all business-class laptops and PCs in use today include TPM chips based on open standards from the Trusted Computing Group.

Building on this foundation, TPMs offer a strong, secure, readily available alternative to conventional hardware tokens, but impose neither the incremental acquisition costs nor the ‘hard’ deployment expenses that tokens incur. Thus, TPMs not only lower the total cost of ownership, the business case for these chips largely mirrors that for strong, fully automated and transparent authentication of both devices and users on the enterprise network.

Last and most importantly, TPMs across your scattered enterprise can be fully activated and operational in minutes, and easily integrated with existing VPN and wireless infrastructures. Trusted Computing software and server providers can help minimize the IT overhead required to setup and manage TPM chips, enabling organizations to make use of them for an additional layer of security.

Cyber attacks, by nature, will continue – and they will continue to evolve. Network security must evolve faster. Rather than discarding compromised solutions such as SecurID tokens, IT managers can reinforce these tools with additional hardware security that’s already deployed across their enterprise. Device authentication through the TPM chip further enables centralized management of vulnerable end-points with minimal change to the existing network. Rather than relying on a single-point defense, a layered approach to security will provide a higher level of assurance for network operators.

Steven Sprague is the CEO of Wave Systems, a provider of client and server software that supports Trusted Computing standards. Since taking the helm as CEO, he has played an integral role driving the industry transition to embed stronger, hardware-based security into the PC. As a popular speaker and IT security thought leader, Sprague presents at dozens of conferences and events each year – educating global audiences about the latest PC hardware security advancements and industry standards (both on behalf of Wave, and in his leadership role with the Trusted Computing Group). His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, and enterprise-wide trust management services.

What’s hot on Infosecurity Magazine?