The Massachusetts-based restaurant chain is pioneering the use of a little known security chip, the Trusted Platform Module (TPM), that comes inside every Dell laptop and desktop the company buys. Not only does the chip generate and store encryption keys, helping to protect the chain’s business data, but it also enables easy finger-swipe or password-based authentication, guarding against identity theft for its employees and customers. When used with Wave Systems’ Embassy Trust Suite (ETS) software, the chip provides Papa Gino’s with a chain of trust, from the laptop or desktop, all the way to the server and datacentre.
“And it’s so easy,” says Chris Cahalin, network manager at the chain. He is amazed a solution that is so easy to administer and use is not better known in IT circles.
Getting to know the TPM
“Our introduction came through Dell,” Cahalin says, explaining how after a sales visit from the PC maker in March 2005, he went to its website to learn more. “Security is first and foremost in everybody’s mind, so naturally I clicked on a link, and it took me on this wonderful journey of Trusted Platform Modules. As I looked at it, the solution just made more and more sense to me. And then to realise that it’s already included in the hardware we’re buying today, I thought, my god, why aren’t we using this?”
Today, the TPM and Wave Systems’ ETS form the core of Papa Gino’s security strategy, Cahalin says.
“Typically, the normal laptop considerations are antivirus and antispyware,” he says. “Well for us, the first consideration is the ETS platform, and then we buy the antivirus and antispyware.” With the TPM-based security, Cahalin and his team are no longer chasing down lost encryption keys or forgotten passwords.
Papa Gino’s is moving to TPM-based machines in a controlled manner as it purchases laptops and desktops through planned upgrades, which cover 63% of its mobile workforce. The software has cost US$6,900 (NZ$10,430) to implement so far, while Papa Gino’s has seen a better than triple ROI of $22,400 in the first year. “That’s in support costs, and in having centralised control over the encryption methods used,” he says.
In the past, Papa Gino’s, like many other companies, had a hodgepodge of security schemes in place.
“For instance, finance was implementing ad hoc security solutions, where it would either password-protect files or use third-party encryption. But then it would lose the keys, and it was a mess,” Cahalin says. “We had to bring in a number of temps just to recreate all this end-of-year work very quickly, and it costs us tens of thousands of dollars to do that. Now we have centralised control over that and can avoid those kinds of instances going forward.”
How it works
Users no longer need to worry about encryption keys or long passwords. Before a laptop or desktop boots, users authenticate to the network via a finger-swipe. Those “preboot” credentials are sent to the back-end Embassy Authentication Server, which authenticates the users to the domain. “The data on the laptop hard drive is secure all the time, because it requires preboot authentication,” Cahalin says. “If it’s ever lost or stolen, we have this unprecedented level of security.”
And swiping a finger is far easier than remembering a long, complex password. “I have one high-level user who is described by my LAN admin as being more suited to an Etch-A-Sketch than a laptop. This person has had no problem at all,” Cahalin says. “Everyone loves it because they just run their finger over it, boom, they’re in and life is great.”
If a laptop is lost or stolen or fails, recovering the keys is a snap, he says. “If you lose a TPM, you can migrate the keys down from the [Embassy Key Management Server] to any TPM-enabled device,” he says. “So if you lose a laptop, you don’t lose any data, because it’s all encrypted, and you have the key securely backed up on the EKM Server. It’s a very good solution for us.”
Encrypting data is easy and well integrated with popular software, such as Microsoft’s Office Suite, Cahalin says. “When you’re in Word or Excel, and you’re creating a document, you have new icons where you can just ‘save and encrypt as’, and that document will then be encrypted and saved in a secure vault,” he says.
Even systems administrators can’t access the data. “It’s unintelligible, because you can’t even see the name of the file, and you certainly don’t have access to the contents,” he says.
The security scheme also circumvents a well-known problem in real-world networking — that of the novice user keeping cheat sheets of passwords and logon information. “Now that’s solved, because people simply turn on their laptop and they can preboot authenticate with a finger swipe,” Cahalin says. “They then open up a vault with another swipe of their finger, and inside that vault are all the documents they need. And only they can see them.”
Watch the vendors
Cahalin has one caveat: make sure your TPM vendor uses open standards and not proprietary encryption and authorisation methods. When he first discovered the TPM technology on the Dell site, he decided to investigate what HP and Lenovo were offering in the same area.
“HP didn’t have a solution that year, even through March 2006,” he says. “And the kicker is that when it finally does work, it’s only going to work with HP equipment, which is bizarre.”
In addition, the HP and Lenovo iterations were far more limited in scope. “Both HP Protect Tools and [Lenovo] ThinkVantage limit where you can encrypt your data, so with HP you get this thing called the personal secure drive, with 1GB of local space to encrypt your data. It can’t grow in size, and you can’t put it anywhere else,” Cahalin says. “With Dell and Embassy, I can create the secure vault locally, on the network, on removable media or wherever I want — and it’s unlimited in size. It’s a difference you need to be aware of.”
Good security doesn’t need to be hard
The upshot is that Papa Gino’s now has strong, bulletproof security from the desktop to the server that is much easier to use and implement than any other security technology tried in the past.
“It’s like a hidden gem,” Cahalin says. “People think you’re going to add complexity because it’s more secure — it’s got to be more difficult, right? Well, no. Actually, it’s just the opposite. It’s such a well thought out, elegant solution that we can’t push it out fast enough.”