This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
3. - Don't get left behind as mobile security management evolves past the desktop: Read more in this section
- Enterprise desktop management must respond to mobile device security
- Service providers require security scrutiny with Desktop as a Service
- Some Windows devices get protection from trusted platform module chip
Explore other sections in this guide:
- 1. - Getting started with an endpoint and mobile security strategy
- 2. - Tools for mobile devices proliferate as vendor shakeups continue
Technology that already keeps enterprise data secure on servers and networks has made its way onto Windows mobile devices.
Windows-based notebooks and tablets incorporate the trusted platform module (TPM) chip, a product and specification that adhere to the Trusted Computing Group's security architecture.
The chip is installed on a device's motherboard and is available from vendors including Broadcom, Infineon Technologies and STMicroelectronics. Management of the chip is enabled by software from companies such as Wave Systems.
At the heart of TPM is its ability to provide mobile device security at the BIOS level. It allows for device authentication and is a way to store encrypted keys.
The technology can help IT reduce corporate data security risks that come with the bring-your-own-device (BYOD) movement in a couple of ways. Instead of allowing employees to use non-secure devices, IT can issue employees a Windows-based tablet PC with a TPM chip, or employees can bring their own.
"BYOD is scary for companies and consumers because that device in your pocket or tablet [allows you to do] banking and email, and a lot of businesses are concerned about that," said Lamar Bailey, director of security research and development at Tripwire in Portland, Ore.
However, TPM is not a panacea for mobile device security, and it needs to be used with other technologies. These include self-encrypting drives, Microsoft's BitLocker, mobile device management systems, antivirus software and tokens for VPN clients.
Trusted Platform Module 1.2
TPM's 1.2 specification is supported by a host of major vendors such as Intel, Microsoft and Dell.
A subset of TPM is the mobile trusted module (MTM), a firmware upgrade for consumer-grade mobile devices. The MTM can store digital keys and passwords that help authenticate each device. However, MTM is still in its early phase.
For example, Windows 8 includes the Unified Extensible Firmware Interface (UEFI) to ensure that only valid software executes upon booting. This works along with TPM chips.
Companies have successfully deployed the TPM modules with defensive layers, according to Peter Renner, Microsoft professional services director at En Pointe Technologies, an IT reseller in Gardena, Calif.
Some people, however, don't believe TPM is a viable security solution for BYOD.
"If TPM were installed on employees' devices, it potentially could create issues for the employee down the road if they left the company and then needed certain types of IT service," explained Kyp Walls, senior director of product management at Panasonic System Communications Company of North America. Secaucus, N.J.-based Panasonic has incorporated TPM chips into its products since 2006.
In addition, the mobile device security technology may not work for devices owned by end users.
"The downside comes from the fact that the TPM is still not owned or managed by the enterprise," said Chris Crowley, a certified instructor at the SANS Institute, an organization that provides computer security training and certification in Bethesda, Md. "The TPM key is protected by the user, so if the user operating the device is not safeguarding the data, it remains at risk."
Standardizing on technology based on the trusted platform module can help, and some organizations have come to rely on it to mitigate their data security risks.
"Most of our machines have TPM chip technology in them," said Jan Pabitzky, chief information officer of the Geary County Schools in Junction City, Kan. "As we go through a replacement strategy, we will use TPM-only devices."
The school district is not alone in its security concerns.
The Ponemon Institute, a market research company in Traverse City, Mich., published a 2013 State of the Endpoint survey that revealed steeply growing security concerns surrounding mobile devices. In 2012, 73% of 671 IT pros who answered the survey said mobile devices posed a security risk for IT. Only 9% identified this as a risk in 2010. Other IT security risks included mobile/remote employees and the cloud.