A STUDY OF TRUSTED COMPUTING IMPLEMENTATION IN PUBLIC SECTOR INFORMATION, COMMUNICATION AND TECHNOLOGY (ICT)
DOMAIN
RUSNITA BINTI ISNIN@HAMDAN
A project report submitted in partial fulfillment of the requirements for the award of the degree of Master of Computer Science (Information Security)
Centre for Advanced Software Engineering (CASE) Faculty of Computer Science and Information System
Universiti Teknologi Malaysia
iii
To my husband Mohd Fauzi Haji Ismail, and children Aida Shaheerah, and Aida Thurayya and
iv
ACKNOWLEDGEMENT
The highest gratitude to Allah the Almighty with whose blessings and permission I have, alas, been able to complete this project report for my Masters Degree.
I would like to take this opportunity to express my deepest gratitude to my project supervisor, Dr. Rabiah Ahmad for her encouragement and guidance. Special thanks goes to all lecturers and staffs at Centre for Advanced Software Engineering (CASE) for their cooperation and support throughout my course at CASE.
v
ABSTRACT
vi
ABSTRAK
vii
TABLES OF CONTENTS
CHAPTER TITLE PAGE
DECLARATION ii
DEDICATION iii
ACKNOWLEDGEMENT iv
ABSTRACT v
ABSTRAK vi
TABLE OF CONTENTS vii
LIST OF TABLES xii
LIST OF FIGURES xiii
LIST OF ABBREVIATIONS xiv
LIST OF APPENDICES xv
1 INTRODUCTION 1
1.1 Introduction 1
1.2 Problem Background 1
1.3 Problem Statement 2
1.4 Research Questions 3
1.5 Objectives of the Study 4
1.6 Scope of the Study 4
1.7 Research Methodology 4
1.8 Significance of the Study 5
1.9 Summary 5
2 LITERATURE REVIEW 7
2.1 Introduction 7
viii
2.2.1 Benefits 8
2.2.2 Technicalities of Trusted Computing 9
2.2.3 Trusted Computing Group (TCG) 9
2.2.4 Trusted Platform Module 10
2.3 TCG Survey about TPM Usage in Market 13
2.4 Deployment of Trusted Computing 18
2.4.1 Microsoft’s Next-Generation Secure Computing
Base 19
2.4.2 Identity Service Authorities 19
2.4.3 Intellectual-Property Protection 20
2.4.4 Endpoints 20
2.4.5 Applications 21
2.5 Case Study 22
2.5.1 St. Mary’s County Public Schools, United State 22
2.5.2 St. Monica’s College, Australia 23
2.5.3 Bangchak Petroleum, Thailand 25
2.6 Trusted Computing in Malaysia 25
2.6.1 MIMOS Berhad 25
2.6.2 Malaysia Public Sector 27
2.7 International Issues in Trusted Computing 27
2.7.1 German Federal Public sector 28
2.7.1.1 Definition of Terms 28
2.7.1.2 Enhancing IT Security 28
2.7.1.3 Availability of the Specifications 28
2.7.1.4 Open Standards 29
2.7.1.5 Freedom of Research 29
2.7.1.6 Interoperability 29
2.7.1.7 Transparency 29
2.7.1.8 Certification 30
2.7.1.9 National IT industry 30
2.7.1.10 Freedom of Choice 30
2.7.1.11 Guarantee of IT Security 31
ix
2.7.1.13 Protection of Digital Works 31
2.7.1.14 Data Protection 32
2.7.1.15 Standardisation 32
2.7.1.16 International Cooperation 32
2.7.2 New Zealand 33
2.7.3 Austria 34
2.7.4 Malaysia 34
2.7.4.1 Objective 35
2.7.4.2 Target Audience 35
2.7.4.3 The Potential Usage of TC Technology 35
2.7.4.4 Trusted Platform Module 36
2.7.4.5 Potential Concerns 38
2.7.4.6 Other Jurisdictions or External Factors 40
2.8 Summary 40
3 RESEARCH METHODOLOGY 41
3.1 Introduction 41
3.2 Research Approach 41
3.2.1 Quantitative Methods 41
3.2.2 Qualitative Methods 42
3.2.3 Weighting Scheme 42
3.3 Research Framework 43
3.3.1 TC Evolution 44
3.3.2 TC Technology 44
3.3.3 TC Controversy 44
3.3.4 Awareness 45
3.3.5 TC Implementation Guideline 45
3.4 Research Process 45
3.4.1 Clarifying Research Question 47
3.4.2 Theoretical Study 47
3.4.2.1 Preliminary Study 47
3.4.3 Exploratory Study 47
3.4.3.1 Qualitative Technique 48
x
3.4.3.3 Quantitative Technique 48
3.4.3.4 Survey Question 48
3.4.3.5 Data Collection 50
3.4.3.6 Data Analysis 50
3.4.3.7 Interpret Finding 50
3.4.4 Built Guideline 50
3.4.5 Documentation 51
3.5 Summary 51
4 FINDING AND ANALYSIS 52
4.1 Introduction 52
4.2 Overview of Security Implementation in the Organization 52
4.2.1 Section A: Respondent Demography 53
4.2.2 Section B: Security Control 54
4.3 TC Implementation Overview in Organization 58
4.3.1 Section C: TC Basic Knowledge 58
4.3.2 SectionC-2: TC Technology. 60
4.3.3 Section C-3: TC Controversy 62
4.3.4 Section D: Security Awareness 65
4.4 Summary 68
5 RECOMMENDATION 70
5.1 Introduction 70
5.2 TC Implementation Guideline 70
5.2.1 Authentication 72
5.2.2 Data Protection 72
5.2.3 Network Attestation and Platform Measurement 73
5.2.4 Application Protection 73
5.2.5 Content Protection 74
5.2.6 Information Availability 74
5.2.6.1 Informed consent to externally-imposed
digital encumbrance 75
5.2.6.2 Conditions for externally-imposed digital
encumbrance 75
xi
5.2.6.4 Usage by all legitimate parties 76
5.2.6.5 Assurance of future accessibility 76
5.2.6.6 Minimum constraint on usage 76
5.2.6.7 Common privilege definitions 76
5.2.6.8 Independent usage capability 77
5.2.6.9 Modification/deletion by
hardware/software 77
5.2.7 Information Confidentiality and Integrity
Principles 77
5.2.7.1 Awareness of TC functionality 77
5.2.7.2 Knowledge of Information Flows 78
5.2.7.3 Communication specification 78
5.2.8 System Security Principle 79
5.2.8.1 Ability to identify harmful
communications 79
5.3 Summary 79
6 CONCLUSION 80
6.1 Introduction 80
6.2 Summary of Research Findings 80
6.3 TC Implementation Guideline 80
6.4 Limitation and Recommendation of Future Works 81
6.5 Contribution of This Study 81
6.6 Conclusion 81
REFERENCES 82
xii
LIST OF TABLES
TABLE NO. TITLE PAGE
4.1 Control Clustering 55
4.2 Sealed Storage Result 61
4.3 Remote Attestation Result 61
4.4 TC Controversy-Product Supplier 62
4.5 TC Controversy-Over Controlling Result 63
xiii
LIST OF FIGURES
FIGURE NO. TITLE PAGE
2.1 TCG Workgroup 10
2.2 Component of Trusted Computing 12
2.3 TPM Forecast 13
2.4 Existing System With Support of Trusted Computing 14
2.5 Factors of Trusted Computing Implementation 15
2. 6 Leading Barrier of Trusted Computing Adoption 15
2.7 TPM User Exhibit Leading of Process Capabilities 16
2.8 TPM Usage Percentage in Development 17
2.9 TPM User Exhibit Leading in Process Management 18
3.1 The Research Framework 43
3.2 Research Process 46
4.1 Controls With TPM Technology 56
4.2 Controls Without TPM Technology 57
4.3 Agree And Strongly Agree Scale For TC Understanding 58
4.4 Disgree And Strongly Disagree Scale For TC Understanding 59
4.5 Natural Scale For TC Understanding 59
4.6 Summary of TC Controversy-Product Supplier 63
4.7 Summary of TC Controversy-Over Controlling 64
4.8 Training Attended Result 65
4.9 Security Update Result 66
4.10 Method of Buying New Security Product 66
xiv
LIST OF ABBREVIATION
CPU - Central Processing Unit
I/O - Input/Output
ICT - Information, Communication &Technology
IDs - Identities
IT - Information Technology
MAMPU - Modernization and Management Planning Unit
MIMOS - Malaysian Institute of Microelectronic Systems
NGSCB - Next-Generation Secure Computing Base
PCs - Personal Computers
PDA - Personal Data Assistant
RND - Research and Development
TC - Trusted Computing
TCG - Trusted Computing Group
TCPA - Trusted Computing Platform Alliance
TNC - Trusted Network Connect
xv
LIST OF APPENDICES
APPENDIX TITLE PAGE
A TCG Timeline 84
B TCG Members 87
C TCG Workgroup. 90
CHAPTER 1
INTRODUCTION
1.1 Introduction
This chapter will briefly explain the aim of this project. The problem
background, objectives, scope of study and its significant will be briefly explained in
order to give the reader a basic understanding of the project.
1.2 Problem Background
“The Top Cyber Security List” as published in the SANS website in
September 2009 mentioned the most prevalent attacks. This data was brought about
through featuring attack data from TippingPoint intrusion prevention systems
protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled
by Qualys, and additional analysis and tutorial by the Internet Storm Center and key
SANS faculty members. The top most attacks are Application vulnerabilities which
exceed OS vulnerabilities, Web application attacks, Windows: Conficker/Down up
and Apple: QuickTime and six more.
SANS also announced that the number of attacks is now so large and their
sophistication so great, that many organizations are having trouble determining
which new threats and vulnerabilities pose the greatest risk and how resources should
be allocated to ensure that the most probable and damaging attacks are dealt with
2
Hence, Trusted Computing Group (TCG) has claimed that Trusted Platform
Module (TPM) can assist in enhancing security levels in Information Technology
tangible and intangible solutions. This is one of the options that uses hardware based
mechanisms to achieve a secure environment. Although this statement has been
debated since 2003 especially in terms of trustworthy, many giant information
technology (IT) companies have only adopted and implemented TPM in their
manufacturing to comply with industry standards. Personal computer, network
equipment, mobile computing and many more IT assets have been invented using
this particular technology in order to provide secure products and services for
customers. Therefore conscious or unconscious, we as end users of IT facilities are
already part of their target market.
The Public sector in Malaysia is not excluded. In actual fact Malaysia has got
a special organization directly contributing in research and development of trusted
computing in order to provide trusted solutions for Malaysian requirements.
Implementation of this concept however has never been measured to verify whether
it can behave according to what has been claimed by TCG; that is the enhancement
of security levels in organization.
Furthermore, sometimes this implementation is only known by the
organization as a security product that can help them to solve problems. They do not
fully know its architecture, its purposes, actions and impacts on the organization’s
privacy. In other words, they just follow the trends and put their trust in the principal
that a new product with new technology will inherently have strong protection and
capabilities.
1.3 Problem Statement
Information security in the Malaysian public sector has been determined as
one of the very important areas in providing high profile of communication to the
citizen. Leveraging of information technology application under the e-Public sector
3
information and services. IT infrastructure installation and development has been
progressively built for having interconnection between locations all over Malaysia.
Hence just as transport online applications have also been encouraged so as to
develop top management to facilitate and improve the public sector services.
This changing of the environment however does not exclude public sector
application exposure to threats and vulnerabilities. Therefore a higher demand of
security approaches has been raised in each IT development. Confidentiality,
integrity and availability principals have also been implemented in every part of the
IT solution to gain a secure IT environment.
Since trusted computing (TC) is one of security solution provided by IT
vendors and has been part of compliance in industry, we would like to see whether
the public sector ICT domain has implemented it or not as one of choices to
enhancing security. Whatever the answer is the public sector ICT should be aware of
its capabilities and take an advantage of it. Positive and negative issues related to TC
also need to be addressed among ICT officer so that they can make better choices
during procurement specifications of tangible, intangible services and equipment.
1.4 Research Questions
A research question is a statement that distinguishes the problem to be
studied in a project. A few research questions have been determined for this project:
• Is the public sector concerned about the existing TC concept?
• Is the public sector concerned about TC positive and negative impact? • Has TC technologies been implemented in the public sector?
4
1.5 Objectives of the Study
This study will attempt to achieve a few objectives that have been determined
in the early stages of this study. The objectives are:
• To identify the components used in analyzing TC implementation in the public sector
• To determine the level of the TC Implementation in the public sector
agencies.
• To propose and validate the TC implementation guidelines.
1.6 Scope of the Study
This study was designed to get an overview of the current situation of IT
security solutions directly related to TC implementation and indirectly in the public
sector ICT Domain. We shall theoretically analyze TC in order to get the TC
implementation levels in the public sector.
The survey will involve ICT officer in the public sector especially those who
are directly responsible in planning, purchasing and implementing IT security.
1.7 Research Methodology
The research will be done by combining qualitative and quantitative methods.
This is because in the public sector, the ICT organization as a whole, there are two
different parties directly involved in IT security. One is the planning and monitoring
unit and other is the implementation unit.
The qualitative method will be used to interview the planning and monitoring
unit which is known as MAMPU. This will be done to get an overall overview of the
IT Security situation that is needed to be complied with by all public sector agencies.
5
directly involved in research and development (RND) of TC in Malaysia. The survey
questions will then be distributed to all ministries under the public sector in order to
get an overview of TC implementation.
All the data collection will be analyzed and will be used to develop a suitable
implementation strategy and policy for TC. In conclusion the approach that will be
used to accomplish this study is: • Interviews
• Questionnaire
• Data Collection Procedure • Data Analysis
1.8 Significance of the Study
This study is very significant to the public sector ICT domain especially for
ICT Officers directly involved in planning and implementing ICT Security in
organizations. This study will benefit the public sector in a few of the following
aspects:
• Creating awareness to public sector ICT officers about TC concept as one of
the IT security options for enhancing security in an organization
• Helping the public sector to have a better understanding on TC technologies
that are available on the market by bringing out some security issues that are
addressed in the TC.
• Proposing the TC implementation guideline for the public sector that can be
used to direct organizations implementing TC in a smart and systematic
manner.
1.9 Summary
This chapter primarily focuses on the objective and significance of the study
6
can be a good solution for securing information assets in the public or private sector.
Availability of trusted products in the market now can present a big opportunity for
the achievement of security goals. However, the integrity of TC products needs to be
verified and validated by a third party to ensure none of hidden interests are planted
in the tangible and intangible solution. Therefore the public sector IT officer’s
knowledge needs to be measured in order to provide a suitable strategy that can be
referred to in procurement of information assets such as personal computers, network
