Each year, "CIO" magazine surveys its readers about the security of their information assets. In the latest report published September 2002, 84% of the survey respondents acknowledged that their organization had suffered a security breach or crime, including viruses and hoaxes, which resulted in damage or loss in the past 12 months. Moreover, a majority of the respondents (62%) feel their organization is at moderate to high risk for a future security incident that will result in financial harm to the company.
Clearly, security for your information assets is a big issue, and it must be approached through a combination of technology, people and policies. According to the CIO survey, companies appear to be investing most in technology.
HP's Personal Systems Group has taken notice of its customers' need for stronger security, particularly at the access points into corporate networks (i.e., desktop PCs, notebooks, handhelds, tablet PCs, thin clients, etc.). I recently had a chat with HP's Tore Fretheim, manager of emerging opportunities marketing, to learn how HP is addressing the issue of security at the desktop. After the discussion, I can see where HP is bringing additional value to its personal systems product lines through enhanced security features.
Fretheim says HP is looking at four aspects of client security solutions: asset protection, local access control, data protection and network security. Some of the features that address these security areas have been around a while and are fairly common in devices from HP and its competitors. For instance, cable locks, asset tags, cover sensors and security screws help to physically secure a PC and its internal components. What is more, these features tend to be third-party add-ons.
More exciting to me, though, are the higher value tools that HP developed internally and is incorporating into its access products throughout 2003. They are called ProtectTools for Smart Cards, and ProtectTools Embedded Security. (Note: for those who are struggling to see the value of the HP/Compaq merger, this is a good case in point. The access products are largely from the Compaq side, and the new ProtectTools were developed in an HP lab. Together they raise HP's access products above commodity status.)
ProtectTools for Smart Cards are, obviously, smart-card based. They are built on open standards and work across notebooks, desktops, PDAs, printers and thin clients. So a user with both a desktop PC and a notebook can use one smart card to secure both devices. The thing that makes this smart card unique, however, is that HP has worked the ProtectTools software into the BIOS of the computer, giving you security at the boot process. This deters an intruder from booting a PC and then reinstalling an operating system or modifying system BIOS security features such as DriveLock. It further increases security by replacing the Microsoft Windows login mechanism and storing user credentials on the smart card, making them more difficult to steal.
Smart cards are prevalent in Europe and Asia, and interest in them is building in the U.S., especially in the financial sector. HP counts Interpol, PricewaterhouseCoopers, Phillip Morris and the Czech government among its clients enjoying the benefits of ProtectTools for Smart Cards.
Taking access device security up another notch, HP has just announced products with ProtectTools Embedded Security, based on standards developed by the Trusted Computing Group, a security organization that HP helped found.
HP's embedded security is comprised of hardware and software components. The hardware is a security chip on the system board, and the software controls the basic operation of the chip. This embedded security offers many benefits:
* Encryption keys and certificates are stored on silicon rather than on a hard disk, making them virtually impossible to compromise.
* It acts as a "virtual" smart card, eliminating the need for more expensive smart cards or tokens.
* It enhances other security products, such as biometrics.
* It strengthens wireless user authentication and data protection and integrity.
* It offers a strong means to verify that transmitted data was received without compromise.
* It controls which machines connect to a corporate network, and/or limits access rights.
* It provides encryption keys for secure e-mail.
The first of HP's desktops incorporating ProtectTools Embedded Security were announced in May, with notebooks and tablet PCs to follow soon after. Workstations, thin clients, servers and printers will eventually get the embedded technology as well. With tools like these coming to market, CIOs can feel good about their investments in new security technology.
Linda Musthaler is vice president of Currid & Company. You can write to her at