Security-by-Design: A brief introduction

Despite the emergence of Advanced Persistent Threats (APTs) software security has consistently failed to detect threats that are targeting the pre-boot stage of the device. However, all is not lost as enterprises have in-built security in their employees’ devices already – it just needs to be activated and managed.

For some time, layering security software on top of a device has been the approach that thousands of enterprises (and software security providers) have relied on in their quest to protect information and evade network threats. It’s easy to see why – it’s the approach that’s been sold to them and has been partly effective at keeping threats at bay. Security vendors have made their millions by convincing IT directors that software is the answer.

Yet, software security has never been the ‘one and only’ answer on its own. Hackers are clever people, with an increasingly sophisticated range of techniques to infiltrate the layers of software that secure a device. What has long been ignored, though, is the fact that devices already have security hardware embedded, it’s just not used.

Think about it like this: you buy a car. When a car is manufactured, bespoke safety specifications are designed for that model and then built in. You wouldn’t drive down the road and retrospectively fit another manufacturer’s seat belts and air bags – they wouldn’t fit or work as well. The same theory applies when securing the device.

Laptops, PCs and smartphones are manufactured with security embedded that is specific to that device. But, rather than activating and managing this security, enterprises have been layering software security on top – this isn’t enough.

An example of anti-virus failing to detect Advanced Persistent Threats (APTs) is the recent wave of TDL4 malware variant. In September, a click-fraud campaign in which users of Facebook and YouTube were directed to URLs that infected 250,000 users spread far and wide. Hackers used the rootkit to develop new variants of the threat that go undetected by anti-virus.

The latest version, known as Sst.c, infects the Volume Boot Record. Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network, and reduces the window of detection for the enterprise to contain the threat.

I mentioned earlier about the particular components that make security-by-design possible. One of these is the TPM – the Trusted Platform Module. The TPM is embedded in over 600 million devices around the world, while Microsoft has made the TPM a security cornerstone of the soon-to-be-launched Windows 8 operating system.

It’s the most secure location on the device, acting as a safe to store encryption keys, passwords and digital signatures. By engaging a management console for the TPM, enterprises can maintain complete control over every device that features the chip. By activating and managing TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software.

Additionally to the TPM, SEDs (Self-Encrypting Drives) provide security-by-design in the form of embedded hardware encryption. Gartner has stated that by 2015, all disk drives shipped will be industry-standard SEDs. Importantly, SEDs require no modification to the device’s operating system; they are ready-to-go, while the wider standards commanded by the Trusted Computing Group (TCG) are built-in and interoperable.

The best part? They’re also cost effective. An Aberdeen Group research report in June 2012 stated that deploying hardware security costs on average $80 less per endpoint per year than software security. The report states that the use of hardware-based security per 10,000 endpoints can save enterprises up to $670,000 per year.

Activating and managing the hardware-based components that have been built-in to detect the threat of attack forms the fundamental rationale behind Security-by-Design – one that is advocated by the TCG. By making use of the hardware-based roots of trust that are already embedded in the device, enterprises guarantee a higher level of assurance that their information is safe and IT can monitor for threats at any time, not just once the device has booted.

Joseph Souren is the VP and GM EMEA, Wave Systems. He is responsible for developing the company’s sales, marketing and channel strategy in that region. Joseph directs channel development, manages operations, and executes sales strategy in EMEA.