There are two worlds of computer security - high-end systems and then everything else. Both high- and low-end systems typically employ “top-down” defenses to harden their attack surfaces. These are “software-only” security techniques.
High-end and specialized systems have the additional protection of “bottom-up” defenses in the form of Hardware Security Modules (HSMs). HSMs sequester secrets (keys) from the general processing environment ensuring they cannot be stolen if the system is attacked. HSMs for these high-end systems are typically very expensive, making them impractical for low-end systems that still require solid cybersecurity.
As cyber-attacks become increasingly more common, there is a need for additional “bottom-up” hardware-based security, including code measurement. Software security measurement systems take a “snapshot” of a system by building transitive trust chains of software measurements (hashes) and storing them in tamper-proof storage. These measurements are used for the following functions:
- Permit “attestation” (cybersecurity health checks) of a system by a remote appraiser.
- “Seal” system secrets preventing their exposure when a system is attacked.
- Authorize security operations based on the real-time health of the system assessed using the measurements.
- Comprehensive code measurements are now considered to be a fundamental part of system security. They can be used to detect deep threats (e.g. bootkits and rootkits) which are otherwise undetectable by most “software-only” security solutions (firewalls, anti-virus software, etc.) or by traditional HSMs, which do not have these code measurement capabilities.
A sensible next step in hardware-based security is to combine code measurement with the key protection capabilities of an HSM, resulting in the Trusted Platform Module (TPM) 2.0.
TPM 2.0 meets the performance and low cost requirements of the majority of the world’s computing platforms. TPM 2.0 complies with both Trusted Computing Group and ISO specifications so it is truly an international standard. TPM 2.0 gives all computing platforms – from servers all the way down to the Internet of Things sensors - the robust, modern hardware-based security needed to address the 21st century’s real and ever-growing cybersecurity challenges.
This blog was originally published in IIoT-World.com