Way back in 1998, IBM assigned a team of engineers to reevaluate the security architecture of PCs. Essentially nothing had changed in the architecture since the PCs were first designed in the early 1980s. However, with the onslaught of ubiquitous networking and Internet access, PCs have become a very vulnerable link in a company's enterprise network. Clearly, a new design was needed.
IBM was among the first PC vendors to address the need for beefed-up client device security at the hardware level, not just the software level. Some of its early offerings included chassis intrusion alarms, key locks, security switches and asset ID chips in desktops and notebooks. But the need ran deeper, and IBM delivered. IBM's design for desktop security, which incorporated both hardware and software, became the model for the Trusted Computing Platform Alliance (now the Trusted Computing Group) specification.
Rather than keep the security architecture proprietary, IBM put it out there for other companies to adopt. It was especially important to get partners such as Intel and Microsoft behind the design, thus ensuring its universal acceptance. According to Roger Kay, vice president of client computing for IDC, the alliance's security specifications will make their way into Microsoft's "Palladium" security infrastructure within two years.
Not surprisingly, IBM delivered the first PC implementation of the TCPA industry standard in hardware. In fact, the company began installing embedded security chips in certain models of its desktops in 1999. More than 4 million units configured with this chip have been shipped over the years.
IBM calls its solution the Embedded Security Subsystem 2.0, and it consists of an integrated security chip and downloadable IBM Client Security Software. The security chip, an option at the time of purchase, is a cryptographic microprocessor that employs encryption keys and processes to help secure your data, communications and digital identity. System keys are generated during software installation and the software is downloaded after the system has been delivered, so you'll be confident that unauthorized parties do not know the keys and pass phrases used in security policies and administration.
Together, the hardware and software are designed to tackle tough security issues such as non-encrypted data, remote and wireless users, and e-business communications by executing sensitive key operations in the security hardware.
Security applications and functions provided by the Embedded Security Subsystem include:
* File and folder encryption - gives the client the ability to encrypt and decrypt files and folders located on a local hard disk.
* Password Manager - allows you to store and manage encrypted Internet and Windows passwords, user IDs and form entries, and replaces multiple passwords with a single password, pass phrase or fingerprint.
* Support for Cisco and 802.1x wireless security standards - establishes user authentication before allowing access to a VPN through industry-standard wireless systems and protocols.
* RSA compatibility - RSA Secured SecureID Ready to provide enhanced security for users working remotely; can also enable an RSA SecurID Soft Token, eliminating the need for hardware tokens.
* VPN authentication - designed and compatibility-tested to work with industry-leading VPN solutions
* Enhanced security for digital certificate-enabled applications - uses the CAPI and PKCS#11 interfaces to support industry-standard security protocols and digital certificates issued by a Certificate Authority.
* User Verification Manager - allows administrators to manage means of authentication, use of digital certificates, security keys, and UVM security policy.
The security subsystem is available on select "workhorse" models of IBM's ThinkPad, ThinkCentre and NetVista systems. In this era of "trust no one," such devices are an essential part of enterprise security. If you aren't using them, you are needlessly leaving vast vulnerabilities in your network.
Linda Musthaler is vice president of Currid & Company. You can write to her at Linda.Musthaler@currid.com