This content is part of the Essential Guide: Enterprise endpoint and mobile security management wait for no one
News Stay informed about the latest enterprise technology news and product updates.

Trusted platform module aids Windows mobile device security

Keeping data safe in mobile devices is the Holy Grail for preventing corporate data loss.

Technology that already keeps enterprise data secure on servers and networks has made its way onto Windows mobile devices.

Windows-based notebooks and tablets incorporate the trusted platform module (TPM) chip, a product and specification that adhere to the Trusted Computing Group's security architecture.

The chip is installed on a device's motherboard and is available from vendors including Broadcom, Infineon Technologies and STMicroelectronics. Management of the chip is enabled by software from companies such as Wave Systems.

At the heart of TPM is its ability to provide mobile device security at the BIOS level. It allows for device authentication and is a way to store encrypted keys.

The technology can help IT reduce corporate data security risks that come with the bring-your-own-device (BYOD) movement in a couple of ways. Instead of allowing employees to use non-secure devices, IT can issue employees a Windows-based tablet PC with a TPM chip, or employees can bring their own.

"BYOD is scary for companies and consumers because that device in your pocket or tablet [allows you to do] banking and email, and a lot of businesses are concerned about that," said Lamar Bailey, director of security research and development at Tripwire in Portland, Ore.

However, TPM is not a panacea for mobile device security, and it needs to be used with other technologies. These include self-encrypting drives, Microsoft's BitLocker, mobile device management systems, antivirus software and tokens for VPN clients.

Trusted Platform Module 1.2

TPM's 1.2 specification is supported by a host of major vendors such as Intel, Microsoft and Dell.

A subset of TPM is the mobile trusted module (MTM), a firmware upgrade for consumer-grade mobile devices. The MTM can store digital keys and passwords that help authenticate each device. However, MTM is still in its early phase.

For example, Windows 8 includes the Unified Extensible Firmware Interface (UEFI) to ensure that only valid software executes upon booting. This works along with TPM chips.

Companies have successfully deployed the TPM modules with defensive layers, according to Peter Renner, Microsoft professional services director at En Pointe Technologies, an IT reseller in Gardena, Calif.

Some people, however, don't believe TPM is a viable security solution for BYOD.

"If TPM were installed on employees' devices, it potentially could create issues for the employee down the road if they left the company and then needed certain types of IT service," explained Kyp Walls, senior director of product management at Panasonic System Communications Company of North America. Secaucus, N.J.-based Panasonic has incorporated TPM chips into its products since 2006.

In addition, the mobile device security technology may not work for devices owned by end users.

"The downside comes from the fact that the TPM is still not owned or managed by the enterprise," said Chris Crowley, a certified instructor at the SANS Institute, an organization that provides computer security training and certification in Bethesda, Md. "The TPM key is protected by the user, so if the user operating the device is not safeguarding the data, it remains at risk."

Standardizing on technology based on the trusted platform module can help, and some organizations have come to rely on it to mitigate their data security risks.

"Most of our machines have TPM chip technology in them," said Jan Pabitzky, chief information officer of the Geary County Schools in Junction City, Kan. "As we go through a replacement strategy, we will use TPM-only devices."

The school district is not alone in its security concerns.

The Ponemon Institute, a market research company in Traverse City, Mich., published a 2013 State of the Endpoint survey that revealed steeply growing security concerns surrounding mobile devices. In 2012, 73% of 671 IT pros who answered the survey said mobile devices posed a security risk for IT. Only 9% identified this as a risk in 2010. Other IT security risks included mobile/remote employees and the cloud.

Dig Deeper on Unified endpoint management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are your thoughts on TPM as a mobile-device management solution?
Hardware device to keep safe the encryption keys not accessible by OS and other malwares.
Windows 8 and Windows Server make setting up and managing the TPM for the enterprise significantly easier, while enabling key security capabilities.
Whilst TPM is an opt-in technology and showing up everywhere, its designed to be managed by the owner. Owners can be defiend as end-user or corporation for serivces it wants to protect. By no means does this ever get in the way of a user using a a BYOD that is corporate managed and leaving an organization and thus have a disabled device. Its actually 100% better than MDM that cripples a BYOD device.
The best access control solution is to have device ID and user ID stored in a hardware root of trust (TPM) on every device. The is the best method for enterprises to know who is really on their networks. TPMs are also capable of informing the enterprise about the health status of their devices at the pre-boot BIOS level.
THe TPM can be turned off in the BIOS so the user can bypasss it if needed?
Used with defense layering it does deter some unauthorized programs at the boot cycle.
easier to manage