Stronger Security and Identity Through Device-Based Trust

Three years into the Reagan Presidency, civil servants from an obscure government agency wrote this: “The heart of a trusted computer system is the Trusted Computing Base (TCB) which contains all of the elements of the system responsible for supporting the security policy and supporting isolation of objects (code and data) on which the protection is based.”

These security pioneers had the technical presence of mind to also include the following sensible protection design consideration: “The TCB includes hardware, firmware, and software critical to protection and must be designed and implemented such that system elements excluded from it need not be trusted to maintain protection.”

Whoa. These two simple sentences, tucked into a non-descript government document written a quarter of a century ago (the Orange Book) express an elegant protection solution that I believe has the power to improve the equation in cyber security today. Sadly, however, in the years since these concepts were first expressed, our community has largely steered its focus away from the simple TCB. The concept had practically dissolved in our industry.

One notable exception has been the development and provisioning of so-called trusted execution environment (TEE) solutions into modern computing systems, including your mobile phone. This underlying capability has evolved into a potentially useful, hardware-based resource for modern security methods such as authentication, access control, and containment. I say ‘potentially,’ because most current cyber security tools sadly ignore TEE capabilities.

This industry observation was front and center during a review I attended with Jim Jakary from Trustonic. Created in 2012 by Gemalto and ARM, Trustonic focuses on TEE and hardware-based roots of trust. Specifically, the company embeds a hardware/software capability into the ARM chipset on mobile or IoT devices to physically isolate essential computing resources. The capability is accessible via standards-based APIs and a commercial available toolset. If you are familiar with how trusted platform module (TPM) functionality is used, then you have the basic gist.

The cyber security promise of TEE-based secure computing is simple: A secure means for storing data – and this can include cryptographic keys for FIDO-based biometrics, virtual car keys for connected cars, access cards for the modern workplace, and on and on – supports the export of a special breed of highly trusted information. Trust is rooted in tamper-proof hardware, which separates kernel hacks from TEE utilities. This is a powerful concept, because it allows for trusted applications that are secure and easy to use. Example trusted applications might include mobile wallets, remote access, encrypted voice, protected movie content, and heath care patient monitoring.

Here’s something fun to consider: Embedding cryptographic identities into the underlying TEE via some trusted provisioning, perhaps by the mobile ISP at device purchase time, provides a superior alternative to the issuance of plaintext identifiers such as US social security numbers. One might envision Mom and Dad bringing their little newborn to the local AT&T store for baby’s first cryptographic identifier, perhaps embedded in the TEE of her infant-iPad. (I know, I know – but I’m just saying.)

Really, though – this is a powerful concept, because it results in the device itself being the known trusted token. This contrasts with the device being used for an out-of-band handshake to establish a second factor in the authentication handshake. “Cryptographic identity provisioning to the mobile device,” Jakary explained, “is a powerful potential application for Trustonic TEE capabilities in literally billions of deployed devices.”

What does this mean for the CISO? Well, you might imagine a future where devices support authentication based on a hardware root of trust for cloud-provisioned workloads. If you think this seems impossible, perhaps you might ask Google about their BeyondCorp initiative, which follows similar logic. Every CISO should be sponsoring an investigation into how feasible this approach might be, given their existing endpoint footprint. They should keep in mind during their investigation that TEE exists in over a billion deployed devices, so no new hardware should be required.

Perhaps the biggest benefit to such hardware-based identification is that it will help bang the final nail into the coffin of the enterprise perimeter. When we can authenticate known devices through strong, hardware root of trust-based protocols based on cryptographic identities, provisioned by entities such as the mobile ISP, then we will no longer need a perimeter. And that’s worth its weight in gold.

Let me know what you think.