|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
Trusted Computing Can Make Financial Services Transactions More Secure
By
Steven Sprague
|
|
Steven Sprague
President and CEO
Wave Systems
|
The Sarbanes-Oxley Act is designed to protect investors by improving the timeliness, accuracy and reliability of corporate data and financial disclosure information. In the financial services arena, regulatory authorities, financial services providers and end users are also eager to improve the accuracy and reliability of Internet-based financial services transactions to protect consumers from the growing problem of online financial fraud. Enterprises, government and consumers are increasingly demanding a computing environment that is more trusted, private, safe and secure.
In a recent high profile action, the Federal Financial Institutions Examination Council (FFIEC) recently issued guidance suggesting financial institutions offering Internet-based financial services should use more effective methods to authenticate the identity of customers. The FFIEC noted the continued growth of Internet banking and other forms of electronic banking activities and the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers.
Industry analysts in late 2005 reported that on-line banking customers were using on-line banking services less frequently due to concerns over data security. The uncertainty over the continuing inability to reliably determine authentic digital identities continues to undermine many financial transactions.
Cases of financial cyber-fraud, identity theft and data losses from large financial services companies such as Bank of America, Wachovia and Citigroup highlight the fact that valuable data continues to be at risk. And other companies that amass customer financial information, such as the December news that the timeshare unit of Marriott International Inc. reported the loss of 206,000 customers' sensitive personal data, shows that most companies are indeed at risk.
Data breaches include the loss of sensitive employee and customer profiles, social security data and credit information and outright identity theft. Information is lost through mishandling, theft, unauthorized access to IT networks and malicious attacks.
More than one million federal employees have had personal data lost or stolen in 2005, including those of the Federal Deposit Insurance Corp. The Chairman of the FDIC, Don Powell, was quoted that "Identity theft, particularly account hijacking, continues to grow as a problem for the financial services industry and for consumers. Our review illustrates that ID theft is evolving in more complicated ways and that more can and should be done to make online banking more secure."
The information technology industry in particular is responding to significant electronic security challenges by encouraging the development and delivery of a range of new, open standard, hardware chip-based security solutions, delivering improved electronic authentication applications, and a kind of electronic safe or vault that can be of great value in the financial services industry.
These efforts are being stimulated by the formation of the Trusted Computing Group (TCG), an association of more than 110 global IT leaders.
The TCG is a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from compromise due to external software attack and physical theft on platforms including not only PCs but servers, peripherals, mobile devices, the network and related infrastructure.
Leading members of the TCG include AMD, Dell, HP, IBM, Intel, Microsoft, Motorola, Sony, Sun Microsystems, STMicroelectronics and Wave Systems. The members span the IT industry from silicon vendors to network services providers.
Industry developers, manufacturers and service providers use TCG specifications to build products that protect and strengthen computing platforms against software-based attacks. The new hardware based security building blocks defined by the TCG specifications provide a new design approach with new trusted computing capabilities being integrated as a foundation of the user devices.
In contrast, traditional older generation security approaches have taken a ?moat? approach which attempted to create electronic boundaries or firewalls that mirrored organizational boundaries.
However, today?s new web services are aimed at making boundaries virtual so that customers and suppliers can have ready access to important information which resides inside corporate information systems. In addition, the security of today?s systems is based almost exclusively on software, which has proven to make them highly vulnerable to malicious attacks from the network. Finally with the increased mobility of devices for access at all times in all places the threat of physical theft and loss has seen a corresponding increase.
TCG standards today are based on a special purpose security chip, integrated on the motherboard of the PC, called a Trusted Platform Module (TPM). These security chips use an open standards approach which enables the implementation of a standardized security ?building block? as the anchor of trust within the PC. A TPM, a secure key generator and key cache management component, enables protected storage of encryption keys and authentication credentials for enhanced security capabilities. This is in contrast to today?s weaker security solutions that rely on software to hide ?secrets?, build firewalls, and protect encryption keys and digital.
With encryption key protection in the hardware of the Trusted PC, what can Trusted Computing do for the financial services industry? First, you can solve several of the most nagging issues in data security today, delivering access control through stronger user authentication, verifying the person attempting to enter the network, and stronger device validation, including who owns the machine attempting to enter the network.
Financial services companies and government agencies remain vulnerable to malicious attack when unauthorized users authenticate and spoof themselves and their PC platforms into insecure IT networks. As the FDIC points out in its latest report, access to accounts through user name and passwords has proven to be a weak link in the identity management process. Software-only login and sign-in processes have proven to be easily breached. Strong user authentication through multifactor authentication and platform validation make malicious access attacks far more difficult.
This directly addresses the FFIEC concern that single factor authentication (like a password), when used as the only access control mechanism, is potentially inadequate for high-risk transactions involving access to customer information or the movement of funds to others parties.
The trusted computing TPM chip can safely store user credentials such as digital certificates, and provide superior protection of existing passwords. With your private encryption keys stored in a security chip ? a ?safe,? users may now be strongly authenticated and the risks from compromise by network attacks of viruses and Trojan horses can be dramatically lessened. Protected storage of keys allows for the creation of strong, complex passwords to further strengthen the authentication process.
Besides strongly authenticating who you are, the TPM security chip can also enable strong authentication of the device you are using, including whether it has a configuration which has not been comprised and meets the requirements of the network it is attempting to access. Trusted PCs are widely available today, but eventually other trusted devices such as cell phones and PDAs will also contain these advanced security features.
In most insecure systems today, configuration settings are stored in system memory and are vulnerable to attack. With Trusted PCs, the settings are used to create attestation identity keys that cannot be used unless a value is the same at the time of use as when the key was created. This helps to determine if the trusted state configuration has been altered. If it has been changed, network administrators can deny access.
Working with this dramatically improved secure hardware environment, software companies like Wave Systems can offer a range of applications and services for Trusted PCs that provide immediate value and return on investment to address pressing security concerns. Additionally, companies like Wave are beginning to provide key management services and the trust infrastructure components that IT professionals require for managing Trusted PCs in the enterprise or government environment.
Just as financial services companies go to great lengths to protect monetary assets, financial assets today are most often in data form and can be better protected in the TPM environment.
Access control and authentication can be implemented with computing technology that works within the recognized trusted computing framework. This offers a best practices implementation that is a foundation for the automation of security. Trusted computing can also be useful for meeting the new regulatory compliance requirements for audits and tracking in this industry.
Trusted computing has a role within the banking organization but its more important role may be between the bank and the customer. Trusted computing provides a technology platform that is expected to be a standard feature in most PCs and mobile devices. The effect of a standard is to reduce the number of proprietary implementations and ensure interoperability and availability. This will enable the banks to have a pervasive and integrated solution for strong authentication which does not require the issuance and management of external hardware tokens or keys. The TPM is projected by analysts to be available on equipment in the consumer?s home, their laptops, and mobile devices. Analysts are projecting as many as 50 million trusted PCs shipped by 2006 and double that the following year. As customers have access to integrated strong authentication technology as part of their new PC purchases the banks will have the opportunity to significantly expand the online services that will support and use strong authentication.
The benefit of trusted computing technology is that the trusted platforms become part of the identity equation as well as enabling a user to establish the appropriate usage policies for their home PC, work PC and mobile devices. If logging onto a bank from a kiosk, even with a portable identity token, the bank may issue the consumer a limited access to services based on the lower level of security of the public kiosk. When a consumer logs on from home, however, he or she can have access to a full service branch since the bank will be able to verify the trusted configuration of specific consumer PC. This type of model exists today where an ATM only provides limited access and banks have mini branches and full service branches. By enabling strong authentication the banks digital web service offerings can grow substantially while simultaneously reducing the risk of fraud.
The IT industry?s trusted computing thrust today is one of the few open standards, strong authentication mechanisms that can meet the needs of financial industry. As the banking industry evaluates different solutions for stronger authentication, as recommended by the FFIEC guidance, the industry should consider making sure that whatever solutions are selected include trusted computing.
Online security is a complex topic and there are many technologies and choices. However, today there are easy steps that financial services institutions and consumers can benefit from both immediately and long term.
Make sure all new PCs procured are trusted PCs which include TPM security hardware and software
• Enable all online services to support multifactor authentication with the TPM as a ?trusted? identity token
vEnable all internal networks to support platform authentication using the TPM, eventually adding TPM Integrity Measurements with attestation for assuring that only valid configurations can gain to access the network
• Ensure all data on client and server platforms is stored encrypted on the hard disk
• Use machine identity as part of information policy to integrate hardware location and the resulting physical security
• Limit the number of records that can be retrieved from a database by a specific terminal, to prevent mass theft of records
• Promote consumer use of trusted computing in the purchase of their next PC, even if online services are not ready.
• Trusted PCs are shipping today so financial services organizations should let customers know they will be supporting the technology
• Ask all of your networking and service vendors to support trusted computing within their platforms
Summary and Next Steps
The transition to Trusted Computing can be easy both for individual users as well as enterprises. As existing PCs are replaced on their typical three or four year replacement cycle, Trusted PCs with TPMs should be specified. The TPM will become even more important as time goes on with software such as Microsoft?s new Vista operating system specifying it as a prerequisite feature. Robust applications software and trust infrastructure servers are now available leveraging trusted computing, which allow both individuals and enterprise users to immediately activate and benefits from their TPM enabled PCs for new levels of security, including the multi-factor authentication required by the FFIEC.
Steven Sprague
President and CEO
Wave Systems
Steven Sprague is president and CEO of Wave Systems Corp., a leader in delivering trusted computing applications and services. Wave Systems solves the most critical security problems for enterprises and government with software solutions that are trustworthy, reliable, and easy to us. Wave's trusted computing software solutions include strong authentication, data protection, advanced password management and enterprise-wide trust management services.
For more information about Wave, visit http://www.wave.com.
|
|
|
|
|
