|
Lie Detector
New England pizza chain gains NAC capability by controlling access to endpoints with hardware-based security.
The pizza restaurant chain Papa Gino's takes a different tack when it comes to securing endpoints and controlling network access. The New England company has put together a collection of tools based on the Trusted Computing Module (TPM) and related software to help secure laptops used for various back-office functions. The IT team at Papa Gino's decided to control access to the network by first controlling access to the endpoints.
"We wanted to harden the endpoints themselves," says Chris Cahalin, manager of network operations for the corporation. "We discovered that by controlling access to the endpoint, we control who has access to the network."
IT staffers began buying laptops with TPM in spring 2005, and now have standardized on Dells. TPM is a special chip that has been included in all major laptop configurations for the past several years; it provides a protected environment not accessible to the Windows operating system that can store security keys and other encrypted information. The Papa Gino's rollout started with 250 PCs and laptops but might expand to several thousand machines over the next year, depending on whether the company extends the program to handle PC-based point of sale cash registers.
The solution involves Wave Systems' Embassy Trust Suite protection software, which works with the TPM to determine the state of a machine, and Seagate hard drives with built-in encryption. Each laptop user records his or her fingerprint, using the built-in reader, for pre-boot authentication and full disk encryption. "When a PC gets to the end of its life or needs to be reprovisioned, it literally takes us just a few seconds to securely repurpose it using remote instantaneous cryptographic shredding," says Cahalin. He and his team are also looking to incorporate the f...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ingerprint scan as a means to authenticate a user to the network. "Our solution and Embassy works very nicely with Active Directory. You can set this up with a series of group policies in about 30 minutes--it is that simple."
One advantage of using biometrics with TPM protection is that IT can provide cheat sheets to employees on how to access the network without having to worry about them literally falling into the wrong hands, or fingers; the notes are Wave Systems-protected. Users can also create shared data repositories for specific users and purposes, such as for sensitive HR compensation documents.
"No one else has access to this data, even the departmental secretaries, because really, they shouldn't be able to see this information. And the encryption keys that are used to protect this data are being backed up to our servers and can be easily recovered. This way, we avoid any exposure if our employees lose their encryption keys. People may have the best of intentions, but we still need centralized control over data protection and data access," says Cahalin.
"The incremental cost is less than a few dollars per laptop; it's about as close to a no-brainer as you can get," he adds. The company eventually plans to move to Windows Server 2008 and NAP, and will use its TPM-based solution as the core. "TPM really provides a lie detector for endpoints because it enforces the integrity of the endpoint itself."
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Implementor Chris Cahalin, manager of network operations
Company Papa Gino's
Size of deployment 250 clients
Problem/solution Network access control enabled by controlling endpoint access with tools based on security chip and related software
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
|
