Thought Leaders: Unique Device Identifi cation Preventing network breaches
By Steven Sprague Trusted platform modules are the key.
t’s a relatively simple matter to grant physicians and other healthcare providers the ability to remotely access patient medical histories, share diagnostic images or lab results online, or track vital signs in real time. But, clearly, these capabilities must come with strong network security. Fortunately, the healthcare industry needn’t invent some radical new security solution before it can realize the benefi ts of remote and mobile network access. Two-factor authentication technologies, such as smart cards and USB security tokens, have already found application as a single point of defense in healthcare networks. Both confi rm the identity of users attempting to access a network. But the most secure – and ar- guably the most cost-effective – protection relies on more
Steven Sprague is CEO of Wave Systems Corp. For more on Wave Systems Corp. solutions: www.rsleads.com/109ht-206
than a single point of defense, and instead applies a layered approach. More specifi cally, it leverages the trusted platform modules (TPMs) on board virtually every business-class laptop today to authenticate the identity of any device trying to log into the network.
Smart cards and security tokens require a secure object that the user carries – the card or token – as well as some intangible information known only by an authorized user – usually a personal identifi cation number (PIN) or password. One downside for both technologies is that their total cost of ownership increases in proportion to the number of employees using them. Specifi cally, it becomes increasingly expensive to acquire, deploy and replace cards and tokens as the number of laptops and users expands. In addition, because these tech- nologies only verify the identity of the user, the security and health of the computer they use to access the network remains a dangerously open question.
Plus, these technologies are not as immune to hackers as once thought. Last spring, a double-header attack on USB token provider RSA subsequently allowed hackers to gain unauthorized access to Lockheed Martin’s network, which relied on the tokens for security. It’s important to note the breach required an extraordinarily sophisticated attack and doesn’t entirely negate the value of security tokens. But it serves to underscore the argument for a layered defense built on a strong foundation of device identifi cation. The foundation of device identity is that only known devices – those authorized by the organization – are granted access to information and sensitive resources. It’s an approach that’s
32 September 2011
long provided strong network security for cellular networks and cable providers. Thanks to the technology, both industries have virtually eliminated the once-frequent illegitimate use and theft of their services.
On data networks, device identifi cation has conventionally relied on MAC addresses and user credentials in software to identify a device on the network. But MAC addresses and software-based user credentials can be spoofed, allowing an- other device to claim the same MAC address. TPMs provide a far more powerful foundation for creat- ing and verifying strong device identities, and ensuring only authorized devices gain access to the network. Because these cryptographic security chips are embedded in a computer’s motherboard, they effectively make a built-in token. They enable IT managers to create, sign and store authentication keys within a PC’s hardware, strongly binding the identity of the machine and its user to the device. Further, because keys are stored and protected within embedded hardware, they cannot be changed or stolen by malware.
TPMs are neither an emerging nor experimental technol-
ogy. Leading vendors such as Dell, Lenovo and HP have been including the chips as a standard component on all business- class notebook and desktop computer lines for many years. Indeed, virtually all business-class laptops and PCs in use today include TPM chips based on open standards from the Trusted Computing Group.
Unlike smart cards and tokens, TPMs integrate easily with existing VPN and wireless infrastructures, facilitating the use of a single sign-on to access both the machine and the network. Further, they can be fully activated and managed from a central location. Trusted Computing software and server providers, such as Wave Systems, can help minimize the IT overhead re- quired to set up and manage TPM chips, enabling organizations to make use of them for an additional layer of security. Combined with two-factor authentication technologies, TPMs offer a readily available foundation on which to build a strong, layered network defense. Even on their own, however, they provide healthcare organizations a secure alternative to conventional smart cards and USB tokens but impose neither the incremental acquisition costs nor the hard deployment expenses that these technologies incur. Thus, TPMs not only lower the total cost of ownership, the business case for these chips largely mirrors that for strong, fully automated and trans- parent authentication of both devices and users on healthcare networks.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com