By Boudewijn Kiljan, CTO EMEA, Wave Systems
From the point of view of CIOs and CSOs, the modern workforce is not a simple one. Off-premise meetings, multiple locations, flexible working and the BYOD (Bring Your Own Device) movement present organisations with a complex challenge: How can you secure a company’s assets when domains and networks are essentially borderless?
Security breaches are happening daily. Usernames, passwords and identifiable information are harvested and can easily lead to heavy fines levied by regulatory authorities and unplanned costs for the organisation to fix the problem, resulting in significant financial loss — not to mention the significant reputational damage to customer trust.
A prime example is the Target hack. Very rarely does a security breach do the rounds for so long, but when CNN reports, “the hacking of Target's systems could be the largest breach in U.S. retail history” it’s going to be a big deal and answers will be demanded.
In total, the breach could have affected up to 110 million customers, including 40 million credit and debit card holders and up to 70 million customers' personal information, CNN reports. Security blogger Brian Krebs reported that the malware used in the Target breach had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.
In August, JP Morgan reported that it had been hit by hackers who targeted customer and employee information, leading to the loss of 70 million client names and personal information as well.
While many of these recent breaches are very high profile cases, they are indicative of enterprise trends everywhere. JP Morgan CEO Jamie Dimon told shareholders in 2013 that the company spends $200 million each year to protect itself from cyber-attacks. Perhaps it’s not simply a case of investment, but rather the method the enterprise uses to secure itself from external attacks.
In such a sophisticated cyber landscape, not having a comprehensive, strategic enterprise approach to security and risk is a dangerous game. Therefore, it is widely recognised that Identity and Access Management (IAM) has become a critical aspect of managing assets and information as users connect from numerous fixed and mobile devices.
What are the options?
Passwords Aren’t Helping
Users and organisations often still view their usernames and passwords with a false sense of security. Phishing schemes are becoming more elaborate and often more refined and targeted, with the compromised accounts allowing access to the network where additional identities can be gathered, and new accounts created. While company IT departments enforce password complexity rules and frequent change requirements, users can duplicate or re-use those same passwords on public sites where the security is often less stringent — thus providing another method of compromise. With the advent of cloud computing, processing power is readily available online to assist in brute force attacks to break passwords as well. Password management is also expensive, costing between $20—$100 per user, according to Gartner research.
Smart cards offer greater security than passwords, but from an operational perspective, to use them can be clunky and cumbersome. Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device (“Something You Have”) with them to access the system, in addition to knowing the PIN (“Something You Know”), which provides access to the smart card.
Compared to passwords, smart cards are far more capable of keeping unauthorised individuals from accessing a system or network. This is because a system that is protected by a password requires that the user holds both the physical smart card as well as the corresponding pin to access it. As a result, it is far more difficult for a thief to obtain both parts. This ‘two-factor authentication’ approach greatly reduces the credential theft seen with passwords, as only one copy of the card (and its contents exists), and only one individual can use their logon at a time. Multiple entry points will not work.
However, while smart cards enable greater functionality than passwords, they come with logistical challenges. For example, the rollout of physical smart cards across an enterprise can be cumbersome, and security risks are still posed if one becomes lost or stolen. Traditionally, support costs can also be higher, and replacement cards are expensive (often more costly than what the original deployment itself, due to potential complications).
Trusted Platform Module
Borrowing from the smart card philosophy, the virtual smart card presents many of the same attributes while simultaneously reducing the operational challenges by leveraging the Trusted Platform Module (TPM). The TPM is an embedded security processor that provides tamper-proof security and crypto functions to the operating system and its applications. The TPM standard has been developed industry-wide by the Trusted Computing Group (TCG), and the chip itself is already on the vast majority of business-class devices within the enterprise.
The TPM provides functionality of RSA key generator and cryptography, HMAC (Hashed Message Authentication Code), Random Number Generator (RNG), Protected Flash, NVRAM and ROM memories, and modules (counters and supply voltage measurement) used for tamper detection. The three primary functions of a physical smart card (non-exportability, isolated cryptography, and anti-hammering) are all features supported by the chip, making the virtual smart card possible.
Enter the Virtual Smart Card
While the core TPM hardware technology that enables strong authentication and use as a virtual smart card (VSC) has been in existence for some time, the business focus around additionally strong authentication as an integral component of enhanced security architecture is relatively new.
One of the key dynamics that makes VSCs accessible to a much wider audience than physical smart cards is the elimination of upfront hardware costs as well as ongoing maintenance costs.
In a traditional smart card scenario, a company that wants to deploy the technology needs to purchase both smart cards and devices either with a built-in smart card reader or an external reader for all employees. Though relatively inexpensive options for smart cards can be found, those that ensure the key properties of smart card security (most notably non-exportability) are more expensive. TPM virtual smart cards, however, can be deployed with no additional material cost, as long as employees have computing devices with built-in TPMs; and these devices are extremely common in the market.
Additionally, the maintenance cost of virtual smart cards is considerably lower. Whereas physical smart cards are easily lost, stolen, or broken from normal wear and tear, TPM virtual smart cards are only lost or broken if the host machine is lost or broken, which is a much less frequent occurrence. Given these additional costs, the cost of deploying virtual smart cards is typically less than 50% of the cost of a physical smart card approach while providing the security and strong authentication an enterprise organisation requires. The savings available through deploying VSC are even greater when total cost of ownership over a period of three or five years is taken into account.
The rule of thumb is this: anywhere you can use a physical smart card in the context of an end-user computing device, you can use a virtual smart card, since it provides the same functions and uses the same smart card operating system driver.
Virtual smart cards provide equivalent security to proven physical smart card security schemes using certificates to implement strong two-factor authentication. By using the TPM, an organisation starts with an embedded hardware-based root of trust that can be extended with further use cases. By having two identifying features ( two-factor authentication), it’s much harder for a hacker to gain entry to the device , thereby protecting the user’s credentials and preventing unauthorised entry to corporate assets.
With innovations like the VSC, enterprises are empowered to work smarter and more economically when it comes to enhancing their security.