Business to Business Data Sharing using Trusted Computing

Stephen S. Khan

(2010)

Stephen S. Khan (2010) Business to Business Data Sharing using Trusted Computing.

Our Full Text Deposits

Full text access: Open

Full Text - 681.72 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

Businesses and Governments are seeking new ways to improve their products and services, make them cost effective and take advantage of global sourcing options. This has been largely enabled by fast, stable communication networks sharing vast volumes of data to facilitate delivery of services to customers. Sharing has led to concerns over data protection and the risks the data faces in the new open business models called Digital Business Networks. Sharing data with partners to meet business objectives requires trust from both parties. Trust is difficult to build which is why organisations use a number of different methods to establish trust such as contracts, audits, etc. These have inherent issues which cannot easily be addressed. The current security landscape of controls, countermeasures and mitigation strategies have not changed significantly therefore new ways are being sought to deliver improved security. This need is increasing as organisations move towards new open de-perimeterised seamless business process models. Trusted Computing using a Trusted Platform Module claims to offer higher security for platforms leading to better data assurance and lower risk levels as well as protecting platforms from malicious code. This paper seeks to establish if Trusted Computing can offer lower risks and greater data assurance against platforms attacks when compared with current controls. A detailed risk assessment was performed of risks to data on current platforms, and then a further comparator assessment was performed assuming Trusted Computing Trusted Platform Modules (TPM) controls were deployed. This comparison suggests that Trusted Computing does indeed reduce the platform risks to data by up to 67%. However, due to the low adoption of the Trusted Computing TPM technology today, there are currently few applications using this new technology. This is expected to change as leading manufacturers of processor chips develop integrated functions within their processors, which will facilitate more applications to use the TPM in the medium to long term. There are other challenges which need to be overcome before TPM usage becomes common place. This includes a Public Key Infrastructure with certificate authorities aiding the use of the TPM. Deployment of TPM will need to extend from mainly laptops today to servers before organisations can use them for their critical data. The microprocessor manufacturers will also need to improve on isolation technologies to support commonly used virtualisation solutions. Operating system and application vendors will also need a standard method for software hash checks support proving the integrity of software. Trusted Computing with TPM offers a great step forward in protecting data from platform attacks as the current protection mechanisms have not changed significantly over recent years and in the author’s opinion are largely not effective against today’s attack methods. The technology needs to mature on many fronts before applications are developed and organisations gain the confidence to use it. However in the author’s opinion it is simply a matter of time before the required enablers are in place to allow wide spread adoption.

Information about this Version

This is a Published version
This version's date is: 31/03/2010
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/862aa985-89be-c05e-d5bf-6c4e4515796c/1/

Item TypeMonograph (Technical Report)
TitleBusiness to Business Data Sharing using Trusted Computing
AuthorsKhan, Stephen S
DepartmentsFaculty of Science\Mathematics

Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[1] - http://www.forrester.com/Research/Document/0,7211,54046,00.html
Pharmaceutical Industry Trends Drive EA

[2] -
http://www.forrester.com/Research/Document/0,7211,45250,00.html?src=540
46pdf - Business Realities Drive IT Globalisation

[3] - http://www.forrester.com/Research/Document/0,7211,38314,00.html
Digital Business Networks

[4] - http://www.forrester.com/Research/Document/0,7211,54068,00.html
EMEA IT Outsourcing Deals: 2008 Review

[5] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdf
Data Sharing Review – Richard Thomas and Mark Walport – pages 13-21.
July 2008.

[5a] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdf
Data Sharing Review – Richard Thomas and Mark Walport – pages 22-26.
July 2008

[5b] – http://www.justice.gov.uk/reviews/docs/data-sharing-review-report.pdf
Data Sharing Review – Richard Thomas and Mark Walport – pages 49.
July 2008

[6] -
http://www.forrester.com/rb/Research/wave%26trade%3B_uk_database_mark
eting_service_providers%2C_q2/q/id/47325/t/2
The Forrester Wave: UK Database Marketing Service Providers, Q2 2009 –
May 2009.

[7] - http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
Data Protection Act 1998

[8] – http://www.opsi.gov.uk/ACTS/acts1998/ukpga_19980042_en_3
The Human Rights Act 1998

[9] -
http://www.ico.gov.uk/upload/documents/pressreleases/2008/rsa_speech_oct
08_final.pdf
Speech to RSA Conference Europe on data breaches
Richard Thomas, Information Commissioner – 29 October 2008
64

[10] - http://www.ons.gov.uk/about-statistics/development-programmes/publicconfidence/
project/public-confidence-in-british-official-statistics.pdf
Public Confidence in British Official Statistics
Maryanne Kelly
United Kingdom Office for National Statistics
28 February 2005

[11] - http://news.bbc.co.uk/1/hi/business/8184695.stm
Top firms' pension funds plummet

[12] -
http://www.bbc.co.uk/blogs/thereporters/robertpeston/2007/10/the_rock_and_
me.html -- The Rock and me – Robert Peston – BBC news.

[13] - http://www.newsobserver.com/print/friday/business/story/579584.html
GSK's Avandia problem may grow

[14] - http://www.tif.co.uk/
The corporate IT Forum

[15] - http://www.opengroup.org/jericho/newsletters/NWW8_managingtrust.pdf
Managing trust in our digital world

[16] - http://www.cert.org/archive/pdf/ecrimesummary07.pdf
2007 E-Crime Watch Survey – by Cert.

[17] - http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf
Department for Business, Enterprise & Regulatory Reform (BERR) – 2008
Information Security Breaches Survey.

[18] - http://www.crimereduction.homeoffice.gov.uk/internet02.htm
The E-crime Strategy

[19] -http://www.soca.gov.uk/assessPublications/OrganisedCrimeReview.html
Serious organised crime review

[20] -
http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf
“Airport Insecurity: The case of missing or lost laptops”, Ponemon Institute, 30
June 2008.

[21] BBC, “Defence minister’s laptop stolen”, 4 June 2000.
http://news.bbc.co.uk/1/hi/uk/776364.stm

[22] “MoD loses 600 laptops”, BBC News, 13 January 2002.
http://news.bbc.co.uk/1/hi/uk/1757792.stm
Page 72

[23] “The Federal Bureau of Investigation’s Control Over Weapons And
Laptop
Computers Follow-Up Audit” report, February 2007, Pg iv.
http://www.usdoj.gov/oig/reports/FBI/a0718/final.pdf

[24] The Guardian, “Personal details of every child in UK lost by Revenue &
Customs”,
Deborah Summers, 20 November 2007.
http://www.guardian.co.uk/politics/2007/nov/20/economy.personalfinancenews

[25] BBC, “Nine NHS trusts lose patient data”, 23 December 2007.
http://news.bbc.co.uk/1/hi/uk/7158019.stm

[26] BBC, “Millions of L-driver details lost”, 17 December 2007.
http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm

[27] BBC, “Company loses data on criminals”, 21 August 2008.
http://news.bbc.co.uk/1/hi/uk/7575766.stm

[28] - http://www.met.police.uk/pceu/ACPOecrimestrategy.pdf
E-Crime strategy

[29] - http://www.opengroup.org/jericho/about.htm
Jericho Forum.

[30]- http://www.sei.cmu.edu/publications/documents/08.reports/08tr009.html
The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures

[31] - http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/6089736.stm
“The gangs are seeking customers' details. One in 10 of Glasgow's financial
call centres has been infiltrated by criminal gangs, police believe.”

[32] -
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=60
SANS NewsBites - Volume: XI, Issue: 60 – 31st July 2009.

[33] - Fake Security Software Steals $34 Million Monthly
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtm
l?articleID=218800178

[34] – Buffer Overflow attacks – James C Foster – ISBN 932266067-4.

[35] – Secure coding principle and practices – Mark G Graff & Kenneth R Van
Wyk – ISBN -0 – 596 – 00242 -4.

[36] – Trusted computing platforms – Siani Pearson – ISBN – 0-13-009220. -
Chapter 1.

[37] - http://www.trustedcomputinggroup.org/


[38] - http://www.trustedcomputinggroup.org/about_tcg/tcg_members

[39] – Trusted Computing – Chris Mitchell – IEE professional applications of
computing series 6 – ISBN -0 -86341-525-3.

[40] – A Practical guide to Trusted Computing – David Challenger, Kent
Yoder, Rayan Catherman,David Stafford, Leendert Van Doorn.

[41] -
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
Understanding HIPAA Privacy

[42] - http://www.forrester.com/Research/Document/0,7211,54046,00.html -
Pharmaceutical Industry Trends Drive EA - Henry Peyret

[43] http://www.rhul.ac.uk/mathematics/techreports Report - Management of
Risks
Associated with De-perimeterisation - RHUL-MA-2009-07 - Kwok Keong, LEE

[44] - http://www.opengroup.org/jericho/

[45] – M-o-R – Management of Risk: Guidance for practitioners -2007 – ISBN
-978-0-11-331038-8.

[46] - BS ISO/IEC 27005:2008 page 5.
Information Technology – Security Techniques – Information Security Risk
Management.

[46a] – BS ISO/IEC 27005:2008 Annex C – page 39.
Information Technology – Security Techniques – Information Security Risk
Management.

[46c] - BS ISO/IEC 27005:2008.
Information Technology – Security Techniques – Information Security Risk
Management.

[47] - ISO/IEC 27001:2005(E)
Information technology — Security techniques — Information security
Management systems — Requirements

[48] - http://news.bbc.co.uk/1/hi/scotland/glasgow_and_west/6089736.stm
The gangs are seeking customers' details
One in 10 of Glasgow's financial call centres has been infiltrated by criminal
gangs, police believe.

[49] - BBC, “Company loses data on criminals”, 21 August 2008.
http://news.bbc.co.uk/1/hi/uk/7575766.stm

[50] - http://www.scmagazineuk.com/Credit-card-breaches-reported-at-twocompanies-
with-over-half-a-million-users-possibly-affected/article/140621/ -
Dan Raywood July 27, 2009
Credit card breaches reported at two companies with over half a million users
possibly affected

[51] - http://www.theregister.co.uk/2009/07/22/fsa_hsbc_data_loss/
Bank fined £3m for data loss

[52] - http://www.theregister.co.uk/2009/07/09/data_breach_survey/
UK data breach incidents on the rise

[53] - http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-thesdl.
aspx - Tiny typo blamed for massive IE security fail

[54] - Book “Subverting the Windows Kernel – Rootkits” – Greg Hoglund and
James Butler. ISBN – 0-321-29431-9

[55] - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Risk Management Guide for Information Technology Systems

[56] – Security in computing - Fourth edition – Charles P Pfleeger and Shari
Lawrence Pfleeger – ISBN 0-13-239077-9 – Chapter 1.

[57] – Information Warfare and Security – Dorothy E Denning – ISBN – 0-201-
43303-6 – Chapters 3,4,5,6,8,9 and 13.

[58] - http://www.cabinetoffice.gov.uk/cio/shared_services/ss_in_govt.aspx#1
Shared Services and Transformational Government

[59] - http://webarchive.nationalarchives.gov.uk/+/http://www.hmtreasury.
gov.uk/media//879E2/efficiency_review120704.pdf
Releasing resources to the front line – Page 11 outlines the areas for effiency
savings – Sir Peter Gershon, CBE.

[60] - It’s Time To Focus On Data Protection by Simon Yates
Forrester – 31st July 2008.

[61] - http://news.bbc.co.uk/1/hi/uk_politics/8118348.stm
Cyber-security strategy launched – 25th June 2009

[62] - http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1.htm
Computer Misuse Act 1990

[63] - http://www.ico.gov.uk/what_we_cover/data_protection.aspx
Data Protection Act - Your rights, responsibilities and obligations to data
protection

[63 – http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_1
Regulation of Investigatory Powers Act 2000


[64] - http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-14.pdf
Challenges for Trusted Computing
S. Balfe, E. Gallery, C.J. Mitchell and K.G. Paterson

[65] - http://news.bbc.co.uk/1/hi/uk/7953401.stm
Thursday, 19 March 2009
Overseas credit card scam exposed

[66] - http://news.bbc.co.uk/1/hi/business/7818220.stm
8 January 2009 - Satyam scandal shocks India

[67]- http://www.sans.org/cag/guidelines.php
20 Critical Security Controls - Version 2.1
Version 2.1: August 10, 2009

[68]- http://www.sans.org/resources/10_security_trends.pdf
The Ten Most Important Security Trends of the Coming Year
SANS Institute 2006

[69] - http://www.apacs.org.uk/09_03_19.htm
2008 fraud figures announced by APACS
Fraud loss figures released today (19 March 2009) by APACS

[70] - http://www.sans.org/top25errors/?cat=top25
CWE/SANS TOP 25 Most Dangerous Programming Errors
Sans.org – 14-August 2009.

[71] - http://isc.sans.org/top10.html
Ports usage and associated vulnerabilities can be found here.

[72] - http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-
347-563879
The government has announced that it will immediately abandon clause 154
of the Coroners and Justice Bill.

Details