More Secure, Less Costly

 

TPM is more secure and more cost-effective than software-based authentication. It's also more manageable and less costly than using hardware such as tokens, smartcards or biometric readers, Berger contends.

In the past, there weren't a lot of large-scale deployments of Trusted Computing. That made a discussion at the conference of PwC's recent 85,000-seat implementation all the more intriguing, he said. PwC began the project in 2009 and expects to use TPM to authenticate up to 80 percent of its users across 140 countries by the end of the fiscal year, said Gautam Muralidharan, engagement manager for security advisory services with PwC.

The fact that TPM was already in 95 percent of corporate laptops was a factor in favor of the project, he said. USB token-based authentication would have cost three times as much as TPM to deploy and manage, while a smartcard implementation would have been double the cost, Muralidharan added.

Here's another conclusion reached at the conference: The need for highly automated and hardware-based security defenses is growing because the threats are becoming more numerous, more diverse and often highly sophisticated.

The United States is one of the most Internet-connected nations in the world, the NSA's Stramella said in his keynote. He pointed out that there are plenty of low-profile threats that are as dangerous to both consumers and enterprises as sophisticated attacks are.

"You need to think like the adversary," Stramella said. "That's so important to develop counter-measures against the threat."

The team at the NSA's Threat Operations Center looks for and detects sophisticated threats-which is no easy task considering the volume and speed of data coming into the NSA for analysis, according to Stramella. The NSA uses extremely high-end supercomputers to decrypt and analyze the information.

The threat landscape has changed, he noted. In the past, there was time for the NSA to respond to a cyber-attack, even if there was only a short delay between when the attack was detected and when the NSA could mobilize countermeasures, Stramella said. These days, the NSA knows there is a major cyber-attack only when critical systems fail, he added.

"The threat is huge, it's real and it's growing, and if you're going to defend against the threat, you need to know the threat," he said.

After reviewing some of the known threats and recent high-profile incidents, Stramella observed, "These are the things that everyone knows are going on. Can you imagine what sophisticated adversaries are doing?"