As the holiday season approaches, we typically start chatting about the big changes we will see next year. One of the biggest is in PC security, with a big focus on laptops.
We've had a number of highly public data breaches during 2007 and the vendors are starting to step up to address this exposure. This will range from the rollout of new parts to the creation of a new platform and the introduction of technology that will allow a stolen laptop to scream for help. On the physical side, we'll see more peripherals that will only work with the machines they are assigned to and will be increasingly hard to steal.
TPM and Encrypted Data
We've been buying PCs with Trusted Platform Module devices in them for some time, but most of us haven't bothered to turn this important piece of technology on. Seagate recently released its new TPM-compliant encrypted drives which should start showing up in laptops shortly. The advantage to these drives is, if implemented properly, IT owns the keys to the encryption and both centrally manages them and can revoke them. Once keys are revoked, the drives are effectively worthless, which makes disposing of laptops much easier -- you just pull the key. Should the drive be lost, assuming you have strong user authentication, you can reasonably assure the data won't be compromised.
This provides another reason to pick up a product like Wave Systems and turn the darned TPMs on. It amazes me that folks have this security feature, which they paid extra for, and most don't actually use it.
True Lojack for Your Laptop
This technology, called FailSafe, is from Phoenix Technology and, if you get this, it will come on your laptop as part of the BIOS load and reside below the operating system. This allows you to track a PC over the internet. Because it resides in the hardware, the only way to effectively bypass it is to never connect to a network -- if you try to remove it you will probably turn the laptop into a boat anchor.
Considered much more effective than Computrace because it is built into the laptop, this will provide a stronger level of assurance that stolen or lost laptops can be identified and returned to their owners.
HyperSpace: Linux Security on a Windows PC
Also from Phoenix Technologies are two connected offerings called HyperSpace and HyperCore that create a thin virtual machine which sits on top of BIOS and allows an embedded version of Linux to run next to Windows (or the system's primary OS). In that secondary OS would be a browser, your anti-malware products, some utilities like a media player that would benefit from a more efficient (in terms of power use) embedded platform, and some basic communications tools (light e-mail, browser, and IM client).
From a security perspective, by allowing the anti-malware software to run outside the OS, hostile applications like root kits can be more quickly identified and eliminated and, should the primary OS become compromised, the embedded platform can be used to contact support to restore it. Since the embedded platform runs a browser, the user can go on-line and get help even if the OS won't boot and technical support can take control of the system and restore it without having to ship the machine back or send a tech (assuming the problem is a software problem).
This should not only result in a more robust laptop or desktop PC, but also provide secondary benefits to longer battery life, faster boot to basic applications, and fewer conflicts with security software. Performance impact is reported to be minimal.
It's time to really think about getting serous particularly with regard to laptop security. If you have security technology you are buying but not using, think what will happen if you have a breach and folks ask, after the fact, why you weren't using this technology.
Much of what I've covered won't show up until the second half of next year, but I'd begin talking to your vendors to see what their future security plans are and providing feedback to make sure the stuff you need built is in the pipeline. This is because all of this we've been talking about has to be built into the PC at the front end. You can't add it later, which is what makes it so much more secure.
It is well past time we got serious about PC security, particularly with regard to laptops.