I am a follower of David Lacey and his school of thought. He was an initiator for the BS7799 standard later adopted as ISO27001/2 in the EU. Beginning of September I participated in a telepresence conference with him and many others from the BCS around the globe. This was organized by David Misell. In the telepresence many influentials in thought leadership in information and cyber security.

This one meeting has influenced much of my thinking since. It is impossible to prove you are compliant, even if you follow the rule book, you cannot prove you are 100% compliant even with the best and most dedicated security consultants in the world, especially on large accounts that I am normally exposed to. Moreover, even if you could, proving you are compliant does not prove that you are secure.

So what is the answer, well as David Lacey believes smart use of technology is a part of a way forward. For example did you know that over 85% (maybe more) of PCs shipped today have a chip that supports trusted computing (TPM) and that Intel has acquired companies such as McAfee (DeepSafe and DeepCommand) and Nordic thern Edge (One-Time-Password, OTP). They are placing security at the chip level.

Now if you can prove your organization is secure by implementing secure technologies (note that I don’t say security). This is almost getting close to what the Common Criteria is trying to do, but never really succeeded wide scale because it just became too complicated, and customizations made by individual organizations, each with special needs made any CC status assigned void. I believe that secure at the chip level is an amazing step forward, and more companies should be looking into this, particularly when they are finding their existing IAM infrastructure is just getting too complex.

Did you know that most PCs and servers being shipped today have a TPM?
But what does TPM mean in simple terms. Well it’s easy. TPM uses OpenID for single sign-on and a trusted chip, that has a trust relationship with a service, application or another hardware device (in the cloud for example). The user authenticates to the machine and the OpenID service provides single sign-on to trusted services. Authentication is provided at the hardware level. Listen on the following link…

A simplistic description of what TPM does from the Trusted Computing Group.

Not a really quality video, but the content is an interesting insight into the challenges of developing TPM.