brochure

© 2012 Wave Systems Corp. All Rights Reserved.

Wave Systems Corp.

Steven Sprague

President and CEO


Wave Systems Corp.

Over 23 years focused on hardware-based endpoint security

Wave is the leading trusted computing hardware Independent Software Vendor

Publicly traded on NASDAQ (WAVX) since 1994

First to provide Enterprise solutions leveraging Trusted Platform Modules (TPM), Self-Encrypting Drives (SED) and related authentication solutions

80+ million copies of Wave client software products shipped in 30+ languages

500K+ Enterprise customer seats deployed globally , including G500 customers in various verticals.

16 issued patents and 36 patents in-process

Founding member and Permanent Board Member of the Trusted Computing Group

2


A little history from the cellular industry C

lon

ing

Inci

de

nts

Time

Introduction of Device ID in cellular

US Analog to Digital conversion

3


The Future is Mobile !!

BUT what is mobile???

Is it based on size – Small (IPAD?)

NIST NIST 800-124 draft says: An operating system that is not a full-fledged desktop or laptop

operating system

Microphone is optional??

Get’s SMS? RINGS? …..

4


Mobile IS

The Transition from a network based on connections to a network

based on identity

With a mostly message based transport not link based

A services and subscribers model

Device ID

The Networks WiFi – 4G - wired

Service

Device ID

5


Therefore:

Every enterprise is it’s own little carrier

So every device is going to need a SIM module or equivalent

Trusted Computing the

Foundation of Modern network architecture

Enabling only Known devices

Reducing Reliance on users

Improving usability by transitioning training of the user to policy

6

• The Trusted Computing Group (TCG) is an international industry standards group

• The TCG develops specifications amongst it members

• Upon completion, the TCG publishes the specifications

• Anyone may use the specifications once they are published

• The TCG publicizes the specifications and uses membership implementations as examples of the use of TCG Technology

• The TCG is organized into a work group model whereby experts from each technology category can work together to develop the specifications

• This fosters a neutral environment where competitors and collaborators can develop industry best capabilities that are vendor neutral and interoperable

7

Copyright© 2010 Trusted Computing Group – Other names and brands are properties of their respective owners. Slide #8

Mobile Phones

Authentication

Storage

Applications •Software Stack

•Operating Systems

•Web Services

•Authentication

•Data Protection

Infrastructure

Servers

Desktops &

Notebooks

Security

Hardware

Network

Security

Printers &

Hardcopy

Virtualized Platform

Trusted Computing Group Standards


What is a TPM

It’s a chip on the mother board

It is the Trusted Root for device identity

It is on 600 million shipped PC’s

It is on all Windows 8 Mobile devices

It will be on all smartphones

It stores Keys that can’t be copied

It is the foundation of Trusted Execution

It is the foundation of High Assurance Platform

You already deployed and paid for it !

9


Trusted Computing standards = Best Cyber Investment

Hardware already deployed

TPM enabling tools are available for deployment at scale

Network stack is already in place for SSL and IPSEC

Most Effective Cyber Tool Ever Deployed

Known Device

10


Evidence of Return on Investment

DOD pays $100’s to manage a PC

Hope it’s their device

Hope HBSS is running

Hope it has Data at Rest Encryption

Hope it has been patched

Apple spends $20

Only know devices on ITunes - Each user gets 5

Only whitelisted software runs on the device

Tamper resistant apple keys for content based control

Verizon spends Less

Only known devices

Only known software

11


Leveraging the Device not the User

Make the device Safe to lose

TCG Self Encrypting Drives

TCG Opal standard for all storage

Enterprise proof of encryption if lost

Assure that the device is not compromised

TCG Bios integrity NIST 800-147 + 800-155 (draft)

Secure Boot

TNC + Device ID server for TNC in the cloud

12


Self Encrypting Drives

© 2011 Wave Systems Corp. Confidential. All Rights Reserved.

SEDs have their own processor and RAM – making them impervious to software attack.

Encryption keys are stored in the drive controller chip and never leave. No management required.

Always-on AES encryption means all of the data is protected all of the time and cannot be turned off.

Drive-level authentication blocks all read/write functions until the user is verified.

Support SATA interfaces and are FIPS 140-2 certified. Available in spinning disks or solid state. A wide selection from Hitachi, Micron, Samsung,

Toshiba and Seagate Seagate has shipped over 1M drives

Dell, HP and Lenovo sell SEDs for little to no added cost

TCG Opal Self Encrypting Drives (SED) were introduced in 2009


Substantially lower Total Cost of Ownership than Software Encryption

Key Savings in Lower Operations Cost

Potentially fastest ROI to IT

If you are in a cost sensitive environment – the sooner you migrate the bigger the savings

Invisible to End User

No performance degradation

Single Sign on

Supports CAC, PIV, Biometrics

Business Case to migrate on OS upgrade

Save money upgrading to WIN 7

Save money when repairing machines

Why Self-Encrypting Drives - SEDs

14


0.00 10.00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 90.00

Read

Write

Extensive Data Read / Writes

Seagate Momentus 7200 Seagate Momentus 7200 SED

0.00 10.00 20.00 30.00 40.00 50.00 60.00 70.00 80.00 90.00

Software Encryption #3



Avg Software FDE

Seagate SED

Seagate (No Encryption)

Drive Throughput - Heavy Data Reads

1 Trusted Strategies LLC, "FDE Performance Comparison, Hardware versus Software Full Drive Encryption" February 9, 2010

Software FDE

has major

performance

impacts on

drives and

processors

SEDs have zero impact on drive performance

15



41.26

54.76

26.37

40.80

23.22

21.42

0.00 10.00 20.00 30.00 40.00 50.00 60.00




Avg Software FDE

Seagate SED / Wave Embassy

Seagate (No Encryption)

Time to Return from Hibernation

23 Hr 46 Min

8 Hr 9 Min

3Hr 16 Min

0 Minutes - Data Encryped as loaded

0 200 400 600 800 1000 1200 1400 1600 1800 2000




Self Encrypting Drive

Time Required to Encrypt Drive

SED encryption is virtually instantaneous

16



200 MB/Sec

150 MB/Sec

100 MB/Sec

50 MB/Sec

0

Drive Throughput – Heavy Reads/Writes

Hard Drive

w/Software FDE

37

Seagate

Self-Encrypting

Drive

67

SSD

w/Software FDE

67

Samsung SSD

Self-Encrypting

Drive

167 SEDs:

Optimal

HDs / SSDs with Software FDE – Bad Mix

17


Other features of SED Opal drives

Primary mechanism to bind user to device

Always encrypted so solid state is protected

Better trust infrastructure enables proof of encryption

Machine can be reimaged without affecting Encryption

Multiple partitions allow very strong Isolation

Full integration with Smart Card authentication

Cheaper better stronger faster easier……

18


SP 800-147

BIOS

Protection

Guidelines

Standards

SP 800-155

BIOS

Integrity

Measurement

Guidelines

Preventing unauthorized modification of BIOS

Establishing a secure BIOS integrity measurement and reporting chain

19


Standards

TPM Deployment

Improvements

Device Identity

Wave Endpoint Monitor

Endpoint Health Solution

The Wave solution provides a trust infrastructure for remotely managed PCs:

TPM-based: provides a hardware root of trust

Strong machine identity: ensures it is a “known” device

PC integrity measurements / TNC ensures that the device is in a known state before the OS loads

Getting back to basics - In an enterprise environment, legitimate firmware is absolutely necessary

20


Quoting process

Data Upload

Wave Endpoint Monitor

Query Reporting

Alert notification

Export

PCR data collection

BIOS Integrity Reporting For Secure Boot

Monitors Endpoints

Capabilities Reporting

Integrates With TNC

Data Analysis, Reporting And Export

PC or Mobile

Bios Integrity Management

21

Monitoring Analysis


Windows OS loader

UEFI Boot

Windows kernel and

drivers

AM software

Boot policy

AM policy

3rd party software

Secure Boot prevents malicious OS loader

1

2

TPM 3

Client Attestation

service

4

Client retrieves TPM measurements of client state on demand

Client Health Claim

Windows logon

Malware Resistance: Architecture Win 8

Measurements of components including Anti-malware software are stored in the TPM

22


Putting it all together

BIOS Integrity

Management

Opal Drive –

Pre OS load

Bios Check +

User Auth PIN

DirectAccess

With TPM+

BIM Domain Logon

W/ SC or TPM OPAL sourced Trust

TPM sourced Trust

• Two independently sourced COTs systems

• Trusted Pre-OS Pin entry

• All machines Policy managed if connected (mobile)

• Users Have no credentials – no Phishing

• Simple to manage simple to use

OS START

23


Trusted Computing Challenges

No experience with deployment

It’s not just security its how the network functions and user experience

Industry built SED and ???????

Early value lays foundation for enhanced needs – Enhanced needs are needed now but we still need to build the foundation

24


Trusted Computing Use Cases for Mobile

25

Consumer Enterprise •Mobile Banking •NFC Mobile Payments •E-Wallets •Content Protection – DRM •E-Health Application

• Strong Authentication / Network Access Control •Device Integrity •Data Protection • Secure Messaging

•Machine Identity •Device Management • Identity Management • Secure Apps •Device Interconnectivity

* TCG Mobile Phone WG Use Cases V1.0 and V2.0

Joint


TPM in Smartphone

Device Identity – Issuance of Credential Keys Platform, Component, Application Attestation/Integrity Industry Standard, Cross Platform Interoperability

Keys -

Roots of

Trust

m/Trusted Platform Module

Wave Systems mTPM Key & Management

Server

Wave Systems mTPM

Attestation / Integrity Server

26


Time to start

Put SEDs on all new machines

Put TPM client management software on Gold image

Key every TPM prior to deployment of the machine

Leverage BIOS Integrity and Device ID in all Network services

Only Known machines

27

Steven Sprague President and CEO +1 413-243-7017 [email protected]

www.wave.com

brochure

Documents

wave systems

trusted computing group

equivalent trusted computing

trusted root

device identity

mobile devices

work group model

use of tcg technology