Placing trust in the business PC

Trusted Virtualization keeps employees from compromising their employer’s IT investments.

By Simon Firth

Imagine this: your son begs to borrow your laptop to go online. Reluctantly, you let him. Then the next time you boot up, a virus crashes your machine. But here’s the kicker: that was your work PC.

Scenarios like that aren’t supposed to happen. But people use their work machines for personal computing all the time, says HP Labs researcher Richard Brown, even when they are told not to.

And things aren’t going to change, Brown believes. “The boundary between our business and personal lives these days is more blurred than it has ever been,” he says. “And the reality is people don't want to separate the two from a device point of view. Many run iTunes on their work PC to play music or use their favorite instant messenger to communicate with friends and family.”

It’s all about trust

Rather than trying to enforce the unenforceable, suggests Brown, we need new technology that will enable employers to feel safe in allowing their staff to use their work machines out-of-hours for personal use.

Brown is part of a team of researchers at the HP Bristol, UK lab who’ve built a prototype, super-safe PC that can do just that – by creating separate, secure virtual environments for work or personal computing. Crash your personal area on such a system and your business area keeps running fine. Plus its security will be utterly uncompromised.

Intriguingly, these different environments can run different operating systems. And there can be any number of them. Along with areas for work and home, for example, you might have a third area for your personal banking, and a fourth dedicated to your voice-over-IP phone.

The HP ‘Trusted Virtualized Client’ PC does all this thanks to an embedded security chip, or Trusted Platform Module as defined by the Trusted Computing Group. When the PC is set up for the first time, that chip establishes an unforgeable identity and a set of integrity measurements known to the corporate network. Then, whenever the PC’s work environment connects to the network, the company’s network can check that the system has not been tampered with in any way before allowing full access.

A virtual system

The other key element in a ‘Trusted Virtualized Client’ PC is its open source ‘hypervisor’ – software that boots up before the operating system and splits a single computer into several virtual systems, allowing the user to toggle between the different virtual compartments.

Thanks to the Trusted Platform Module, says Brown, “you can always measure that this hypervisor has not been compromised, which in turn enables a company’s network to validate that the work environment executing on it is properly configured and isolated from any personal operating system running on the same PC.”

As well as running different operating systems, the different compartments can be given different security permissions. You might allow file uploads onto a memory stick from a personal area, for example, but not from a work area.

Switching back and forth between the different areas – so long as you have permission – is simple. And that flexibility is key – it allows the owners of the PC to balance security with the practical realities of running a business, and do it in a controlled way, in accordance with company policy.

An industry-wide effort

HP Labs has been researching trusted computing systems for many years, but this particular project was launched three years ago when HP helped initiate a European collaborative project called Open TC (for Open Trusted Computing).

By pooling the research power of companies like HP, AMD and IBM and several European universities, HP Labs’ Systems Security Lab has led the Open TC consortium in the creation of an architecture and set of applications for trusted and secure computing systems based on open source software.

HP Labs’ ‘Trusted Virtualized Client’ PC was first built as a working example of Open TC technology. But it’s hoped that elements of its design will find their way into the company’s future product and service offerings.

What businesses need

One promising line of investigation for the use of these new client architectures enables trusted computing in the world of small and medium-sized businesses (SMBs).

While virtualization has existed for some time in large corporate IT systems, especially backend data centers, this is one of the first virtualization solutions to focus on manageability and security on the client PC side rather than the server. That’s very appealing to businesses that are too small to need their own server infrastructure.

Many SMBs are also too small to justify a dedicated IT team to protect what infrastructure they have, which makes owning PCs that are less frequently compromised all the more attractive.

And smaller enterprises are likely to need help managing and configuring their systems – which suggests future business opportunities beyond simply offering the basic ability to situate sets of applications in their own trusted virtualized compartments.

“It actually becomes much easier now,” notes Brown, “to deploy a set of applications or a set of policies right across your infrastructure, because the architecture of the client receiving these things is set up in a modular and secure way.”

The value of flexibility

“Imagine I’m traveling,” suggests Brown. “I’m in an airport lounge and I want to connect to my corporate network. Now I can plug my laptop into the airport network and my virtualization layer will run a piece of Virtual Private Network software that would tunnel into my corporate network and set up a secure connection for my corporate compartment into my intranet. It means that the work compartment installed by my company on that system is never actually exposed to the public Internet.”

At the same time, Brown could be running a personal compartment to check his email, download files and watch movies via the airport’s public network – all things that have the potential to compromise a corporate network.

The only way you could safely provide such freedom today is to have a computer with full access to the company network and to the internet simultaneously. And that, says Brown, “utterly breeches most corporate security policies.”