Trusted Computing from Portable Devices
Co-authored by Nate Cote and Emmett Jorgensen
If you believe the media reports, IT threats are everywhere. Hackers, malware, trojans, social engineering attacks, botnets, stuxnet, zero day... It's a wonder that any of us can safely navigate cyberspace.
Although the issue might be slightly overblown by the media, the risks are real. Case in point, a recent article posted on Information Week reports "Most Businesses Don't Spot Hack Attacks". If a hack or malware is present, but goes unnoticed, how can we be certain that there is nothing lurking on a machine that might be used to access our confidential data?
"Most people use their family computer for multiple purposes." said Matthew Losanno, Senior Product Manager at Kanguru Solutions, a manufacturer of secure, encrypted storage devices. "Surfing Facebook, playing online games, managing the family finances, accessing retirement accounts, etc. It's a scenario that carries a lot of potential risk. How will the user know if one of those pictures from a "friend" injected code onto the host machine? The list goes on and on."
So what can be done to protect your sensitive data?
There are currently some alternative approaches being introduced which can help users ensure safe computing and transactions. One approach is a secure, virtual operating system residing on an encrypted portable device, such as a flash drive.
Products like this generally combine a hardened virtual environment, or "sandbox", with a secure portable device (usually a USB flash drive supporting hardware encryption). The general concept is that a user launches a Linux bootloader from the read-only area on the portable drive. This bootloader communicates with the encryption chip and allows authentication to the secure, virtual environment.
These devices come in a variety of configurations; some for secure browsing, some industry specific (i.e.- financial or healthcare) while others are designed to support a full operating system being run from the portable device (directly from this hardened, virtual environment).
A complete OS (such as Windows 7) stored on one of these secure flash drives would allow the user to run a complete and trusted operating system on a completely untrusted machine. They could simply plug in the device, power up the machine and boot directly to the device and authenticate in a secure manner, never touching the untrusted (and possibly infected) host OS and applications. Even if the machine's local hard drive was completely malware-ridden, this solution would not be vulnerable to infection. It would also not leave data from temp caches on the local machine since it uses only the RAM and processor.
The other growing segment is to use the same overall architecture as a method of secure, online browsing and activity. In this case, there is no requirement for a fully installed operating system on the device. The secure, virtual environment would allow a dedicated whitelist of websites to be accessed, eliminating attacks from local host infections, redirections to alternate addresses, phishing attacks, etc. The family bills and retirement account could be securely accessed/paid on a machine which might be accessing all types of sites that may not line up with the best of security!
There are many different ways that secure devices are being used as platforms for collaborative technologies to address growing market requirements. The ability to secure activities anywhere, at any time, from any machine is something that will gain traction over the next few years.