In this era of budget austerity, telework is an effective way to reduce agency costs and increase productivity. It’s also important to enable “social distancing,” which is recommended in the event of a pandemic such as H1N1. Recognizing these benefits—and in response to statutory and policy mandates—federal agencies have implemented telework policies and an increasing number of employees are taking advantage of the option. At the same time, however, teleworking presents significant security challenges.
Teleworkers increase the number of computers accessing sensitive information. To address this issue, most agencies require virtual private networks (VPNs) to secure access to the network. But VPNs can be hacked using software readily available online. Perhaps even more problematic, employees can easily migrate VPN keys from their agency-issued laptop to their home computer. In many cases, the home machine has a larger screen, better keyboard, and simply works faster than the office machine does, but it also increases the risk of viruses and malware.
Agencies can reduce telework risks through the use of Trusted Computing. Trusted Computing works in the same way that mobile phones, cable boxes, and even iPods solved their authentication and security challenges – by securely and uniquely identifying each device so that only known equipment is allowed access.
In the early years of the mobile phone industry, mobile phone numbers were hijacked by criminals resulting in thousands of dollars of fraudulent phone charges. Today, with billions of users worldwide, mobile phone hijacking is unheard of. The reason: built into every phone (or its SIM card) is a unique electronic serial number identifying each cell phone to the network. The cable TV industry faced a similar challenge in its early days as people pirated service (and premium channels, such as HBO) without paying for it. Fast forward to today where cable boxes have a unique hardware serial number and pirated service has virtually evaporated.
Trusted Computing employs a similar user-friendly, hardware-based paradigm to increase computer and network security. Even better, it is a solution already widely deployed. In fact, it is likely that the majority of federal computers already contain the core element of Trusted Computing – a Trusted Platform Module (TPM). The TPM is a highly secure chip with a unique serial number that is installed on the motherboard. It generates, stores, and processes non-migratable keys, which can be used to encrypt information and harden certificates and identities.
Because the TPM works independently from the operating system, it can serve as a “root of trust,” verifying the integrity of the machine and user. Combining the TPM with a Trusted Drive, commonly called a Self-Encrypting Drive (SED), yields additional security. For example, TPMs and SEDs support personal identity verification (PIV) cards and biometrics to provide an additional factor in authentication to the network. Finally, TPMs are less expensive to manage than VPN tokens and, as noted, are already deployed.
TPMs have many other benefits. For example, they can also store key measurements about the pre-boot environment; going forward, this data can be used to thwart Advanced Persistent Threat (APT) attacks, which are invisible to current anti-virus and anti-malware tools.
By leveraging the power of already-deployed, secure TPMs, agencies can significantly reduce security threats associated with telework. They simply need to be turned on.