The name may not be glamorous, but the IBM Embedded Security Subsystem meets a need that's long been met poorly, if at all. For many, the risk that critical data on the hard drives of PCs and laptops can be stolen or tampered with is just something they had to live with. Laptops can disappear at airport security checkpoints. Trojan horses can sniff out passwords and steal security keys. Unauthorized users can snoop.
Although encryption software and access control products have been around for years, they've depended on software that resides on a computer's hard disk and is consequently subject to tampering. IBM's solution is to move encryption key creation and storage, as well as the storage of biometric factors and access-card information, to a dedicated processor on the computer's motherboard, where it is safe and unreachable.
IBM first started shipping a hardware-based security subsystem in 2001, but that solution was proprietary. The current security chip meets the standards set by the TCPA (Trusted Computing Platform Alliance), the founding members of which are Compaq, HP, Intel, and Microsoft, in addition to IBM. IBM is the first company to start including this security solution in its products, but HP/Compaq should start shipping computers with the chip shortly. Approximately 180 companies have joined TCPA since it was started -- http://www.trustedcomputing.org.
IBM's solution, which uses a processor from Atmel (www.atmel.com), currently supports four access control products available through IBM. They are a fingerprint reader and a USB hub/fingerprint reader from Targus, a fingerprint reader from Digital Persona, and a proximity card reader from Ensure Technologies.
The T-30 laptop is the first computer that IBM equipped with the TCPA-compliant chip. IBM supplied one to the InfoWorld Test Center so that we could try out its security chip and a couple of access control products.
When you receive an IBM computer with the security chip, it's disabled. To use it, you have to turn it on in the computer's BIOS, after which you can tell the client security software (which you download from IBM) what features and functions you want to secure. The software can be set to require pass phrases or biometric confirmation prior to executing designated tasks including system log-on.
If you've also bought access devices, you'll need to install them and their software. IBM supplied the Targus DEFCON Authenticator PC Card Fingerprint reader, and the Ensure Technologies XyLoc proximity badge and badge reader. The fingerprint reader slips into one of your computer's PC Card slots, and the badge reader plugs into a USB port.
After everything is installed and configured, IBM's security hardware is fairly unobtrusive. However, the fingerprint reader has an annoying habit of not responding at all unless you hold your finger properly. Unfortunately IBM does not reveal how you're supposed to hold your finger for proper operation. (We began to think of a few ways of our own after several unsuccessful attempts.)We set up the T-30 so that we could use the proximity badge instead of a system log-on. This way, we only had to have the badge near the computer to use it. Conveniently, it also logged us off when the badge left the area.
The information about the proximity badge was stored in the security chip, as was a pass phrase that gave full administrator access to the computer. This was required when using the proximity badge, as a way to help protect against unauthorized users who manage to acquire a badge.
After we registered our fingerprints with the software, the details were stored on the security chip as well. We set up the management software so that some actions, such as accessing the Internet, would require fingerprint authorization.
In addition to managing access, IBM's software supports such handy features as a right-click encryption menu item. The encryption chip handles key generation and storage and supports such features as signed e-mail and PKI.
When you use any of the supported security functions, encryption keys are retrieved from storage within the chip, and all encryption processes are handled within the chip, so that none of the information is exposed. Likewise biometric factors or card information are stored on the chip and compared within the chip, thereby keeping the information away from any software that may be running on the computer.
Overall, IBM's new standards-based approach to security holds considerable promise. When additional vendors begin shipping products based on the TCPA standard, it can mean greater access to applications that can take advantage of this level of security. In the meantime, the Embedded Security Subsystem can go a long way in helping to avoid stolen or compromised data.
And when we learned how to hold our finger, IBM's solution was quick and easy.