Stephen S. Khan (2010) Business to Business Data Sharing using Trusted Computing.
Full text access: Open
Businesses and Governments are seeking new ways to improve their products and services, make them cost effective and take advantage of global sourcing options. This has been largely enabled by fast, stable communication networks sharing vast volumes of data to facilitate delivery of services to customers. Sharing has led to concerns over data protection and the risks the data faces in the new open business models called Digital Business Networks. Sharing data with partners to meet business objectives requires trust from both parties. Trust is difficult to build which is why organisations use a number of different methods to establish trust such as contracts, audits, etc. These have inherent issues which cannot easily be addressed. The current security landscape of controls, countermeasures and mitigation strategies have not changed significantly therefore new ways are being sought to deliver improved security. This need is increasing as organisations move towards new open de-perimeterised seamless business process models. Trusted Computing using a Trusted Platform Module claims to offer higher security for platforms leading to better data assurance and lower risk levels as well as protecting platforms from malicious code. This paper seeks to establish if Trusted Computing can offer lower risks and greater data assurance against platforms attacks when compared with current controls. A detailed risk assessment was performed of risks to data on current platforms, and then a further comparator assessment was performed assuming Trusted Computing Trusted Platform Modules (TPM) controls were deployed. This comparison suggests that Trusted Computing does indeed reduce the platform risks to data by up to 67%. However, due to the low adoption of the Trusted Computing TPM technology today, there are currently few applications using this new technology. This is expected to change as leading manufacturers of processor chips develop integrated functions within their processors, which will facilitate more applications to use the TPM in the medium to long term. There are other challenges which need to be overcome before TPM usage becomes common place. This includes a Public Key Infrastructure with certificate authorities aiding the use of the TPM. Deployment of TPM will need to extend from mainly laptops today to servers before organisations can use them for their critical data. The microprocessor manufacturers will also need to improve on isolation technologies to support commonly used virtualisation solutions. Operating system and application vendors will also need a standard method for software hash checks support proving the integrity of software. Trusted Computing with TPM offers a great step forward in protecting data from platform attacks as the current protection mechanisms have not changed significantly over recent years and in the author’s opinion are largely not effective against today’s attack methods. The technology needs to mature on many fronts before applications are developed and organisations gain the confidence to use it. However in the author’s opinion it is simply a matter of time before the required enablers are in place to allow wide spread adoption.
This is a Published version This version's date is: 31/03/2010 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/862aa985-89be-c05e-d5bf-6c4e4515796c/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] - http://www.forrester.com/Research/Document/0,7211,54046,00.htmlPharmaceutical Industry Trends Drive EA
[2] -http://www.forrester.com/Research/Document/0,7211,45250,00.html?src=54046pdf - Business Realities Drive IT Globalisation
[3] - http://www.forrester.com/Research/Document/0,7211,38314,00.htmlDigital Business Networks
[4] - http://www.forrester.com/Research/Document/0,7211,54068,00.htmlEMEA IT Outsourcing Deals: 2008 Review
[5] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdfData Sharing Review – Richard Thomas and Mark Walport – pages 13-21.July 2008.
[5a] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdfData Sharing Review – Richard Thomas and Mark Walport – pages 22-26.July 2008
[5b] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdfData Sharing Review – Richard Thomas and Mark Walport – pages 49.July 2008
[6] -http://www.forrester.com/rb/Research/wave%26trade%3B_uk_database_marketing_service_providers%2C_q2/q/id/47325/t/2The Forrester Wave: UK Database Marketing Service Providers, Q2 2009 –May 2009.
[7] - http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1Data Protection Act 1998
[8] – http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980042_en_3The Human Rights Act 1998
[9] -http://www.ico.gov.uk/upload/documents/pressreleases/2008/rsa_speech_oct08_final.pdfSpeech to RSA Conference Europe on data breachesRichard Thomas, Information Commissioner – 29 October 200864
[10] - http://www.ons.gov.uk/about-statistics/development-programmes/publicconfidence/project/public-confidence-in-british-official-statistics.pdfPublic Confidence in British Official StatisticsMaryanne KellyUnited Kingdom Office for National Statistics28 February 2005
[11] - http://news.bbc.co.uk/1/hi/business/8184695.stmTop firms' pension funds plummet
[12] -http://www.bbc.co.uk/blogs/thereporters/robertpeston/2007/10/the_rock_and_me.html -- The Rock and me – Robert Peston – BBC news.
[13] - http://www.newsobserver.com/print/friday/business/story/579584.htmlGSK's Avandia problem may grow
[14] - http://www.tif.co.uk/The corporate IT Forum
[15] - http://www.opengroup.org/jericho/newsletters/NWW8_managingtrust.pdfManaging trust in our digital world
[16] - http://www.cert.org/archive/pdf/ecrimesummary07.pdf2007 E-Crime Watch Survey – by Cert.
[17] - http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdfDepartment for Business, Enterprise & Regulatory Reform (BERR) – 2008Information Security Breaches Survey.
[18] - http://www.crimereduction.homeoffice.gov.uk/internet02.htmThe E-crime Strategy
[19] -http://www.soca.gov.uk/assessPublications/OrganisedCrimeReview.htmlSerious organised crime review
[20] -http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf“Airport Insecurity: The case of missing or lost laptops”, Ponemon Institute, 30June 2008.
[21] BBC, “Defence minister’s laptop stolen”, 4 June 2000.http://news.bbc.co.uk/1/hi/uk/776364.stm
[22] “MoD loses 600 laptops”, BBC News, 13 January 2002.http://news.bbc.co.uk/1/hi/uk/1757792.stmPage 72
[23] “The Federal Bureau of Investigation’s Control Over Weapons AndLaptopComputers Follow-Up Audit” report, February 2007, Pg iv.http://www.usdoj.gov/oig/reports/FBI/a0718/final.pdf
[24] The Guardian, “Personal details of every child in UK lost by Revenue &Customs”,Deborah Summers, 20 November 2007.http://www.guardian.co.uk/politics/2007/nov/20/economy.personalfinancenews
[25] BBC, “Nine NHS trusts lose patient data”, 23 December 2007.http://news.bbc.co.uk/1/hi/uk/7158019.stm
[26] BBC, “Millions of L-driver details lost”, 17 December 2007.http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
[27] BBC, “Company loses data on criminals”, 21 August 2008.http://news.bbc.co.uk/1/hi/uk/7575766.stm
[28] - http://www.met.police.uk/pceu/ACPOecrimestrategy.pdfE-Crime strategy
[29] - http://www.opengroup.org/jericho/about.htmJericho Forum.
[30]- http://www.sei.cmu.edu/publications/documents/08.reports/08tr009.htmlThe “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures
[31] - http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/6089736.stm“The gangs are seeking customers' details. One in 10 of Glasgow's financialcall centres has been infiltrated by criminal gangs, police believe.”
[32] -http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=60SANS NewsBites - Volume: XI, Issue: 60 – 31st July 2009.
[33] - Fake Security Software Steals $34 Million Monthlyhttp://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218800178
[34] – Buffer Overflow attacks – James C Foster – ISBN 932266067-4.
[35] – Secure coding principle and practices – Mark G Graff & Kenneth R VanWyk – ISBN -0 – 596 – 00242 -4.
[36] – Trusted computing platforms – Siani Pearson – ISBN – 0-13-009220. -Chapter 1.
[37] - http://www.trustedcomputinggroup.org/
[38] - http://www.trustedcomputinggroup.org/about_tcg/tcg_members
[39] – Trusted Computing – Chris Mitchell – IEE professional applications ofcomputing series 6 – ISBN -0 -86341-525-3.
[40] – A Practical guide to Trusted Computing – David Challenger, KentYoder, Rayan Catherman,David Stafford, Leendert Van Doorn.
[41] -http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.htmlUnderstanding HIPAA Privacy
[42] - http://www.forrester.com/Research/Document/0,7211,54046,00.html -Pharmaceutical Industry Trends Drive EA - Henry Peyret
[43] http://www.rhul.ac.uk/mathematics/techreports Report - Management ofRisksAssociated with De-perimeterisation - RHUL-MA-2009-07 - Kwok Keong, LEE
[44] - http://www.opengroup.org/jericho/
[45] – M-o-R – Management of Risk: Guidance for practitioners -2007 – ISBN-978-0-11-331038-8.
[46] - BS ISO/IEC 27005:2008 page 5.Information Technology – Security Techniques – Information Security RiskManagement.
[46a] – BS ISO/IEC 27005:2008 Annex C – page 39.Information Technology – Security Techniques – Information Security RiskManagement.
[46c] - BS ISO/IEC 27005:2008.Information Technology – Security Techniques – Information Security RiskManagement.
[47] - ISO/IEC 27001:2005(E)Information technology — Security techniques — Information securityManagement systems — Requirements
[48] - http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/6089736.stmThe gangs are seeking customers' detailsOne in 10 of Glasgow's financial call centres has been infiltrated by criminalgangs, police believe.
[49] - BBC, “Company loses data on criminals”, 21 August 2008.http://news.bbc.co.uk/1/hi/uk/7575766.stm
[50] - http://www.scmagazineuk.com/Credit-card-breaches-reported-at-twocompanies-with-over-half-a-million-users-possibly-affected/article/140621/ -Dan Raywood July 27, 2009Credit card breaches reported at two companies with over half a million userspossibly affected
[51] - http://www.theregister.co.uk/2009/07/22/fsa_hsbc_data_loss/Bank fined £3m for data loss
[52] - http://www.theregister.co.uk/2009/07/09/data_breach_survey/UK data breach incidents on the rise
[53] - http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-thesdl.aspx - Tiny typo blamed for massive IE security fail
[54] - Book “Subverting the Windows Kernel – Rootkits” – Greg Hoglund andJames Butler. ISBN – 0-321-29431-9
[55] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdfRisk Management Guide for Information Technology Systems
[56] – Security in computing - Fourth edition – Charles P Pfleeger and ShariLawrence Pfleeger – ISBN 0-13-239077-9 – Chapter 1.
[57] – Information Warfare and Security – Dorothy E Denning – ISBN – 0-201-43303-6 – Chapters 3,4,5,6,8,9 and 13.
[58] - http://www.cabinetoffice.gov.uk/cio/shared_services/ss_in_govt.aspx#1Shared Services and Transformational Government
[59] - http://webarchive.nationalarchives.gov.uk/+/http://www.hmtreasury.gov.uk/media//879E2/efficiency_review120704.pdfReleasing resources to the front line – Page 11 outlines the areas for effiencysavings – Sir Peter Gershon, CBE.
[60] - It’s Time To Focus On Data Protection by Simon YatesForrester – 31st July 2008.
[61] - http://news.bbc.co.uk/1/hi/uk_politics/8118348.stmCyber-security strategy launched – 25th June 2009
[62] - http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1.htmComputer Misuse Act 1990
[63] - http://www.ico.gov.uk/what_we_cover/data_protection.aspxData Protection Act - Your rights, responsibilities and obligations to dataprotection
[63 – http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_1Regulation of Investigatory Powers Act 2000
[64] - http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-14.pdfChallenges for Trusted ComputingS. Balfe, E. Gallery, C.J. Mitchell and K.G. Paterson
[65] - http://news.bbc.co.uk/1/hi/uk/7953401.stmThursday, 19 March 2009Overseas credit card scam exposed
[66] - http://news.bbc.co.uk/1/hi/business/7818220.stm8 January 2009 - Satyam scandal shocks India
[67]- http://www.sans.org/cag/guidelines.php20 Critical Security Controls - Version 2.1Version 2.1: August 10, 2009
[68]- http://www.sans.org/resources/10_security_trends.pdfThe Ten Most Important Security Trends of the Coming YearSANS Institute 2006
[69] - http://www.apacs.org.uk/09_03_19.htm2008 fraud figures announced by APACSFraud loss figures released today (19 March 2009) by APACS
[70] - http://www.sans.org/top25errors/?cat=top25CWE/SANS TOP 25 Most Dangerous Programming ErrorsSans.org – 14-August 2009.
[71] - http://isc.sans.org/top10.htmlPorts usage and associated vulnerabilities can be found here.
[72] - http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-563879The government has announced that it will immediately abandon clause 154of the Coroners and Justice Bill.