About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Abstract
Using software-only approaches makes it is practically impossible to completely secure software applications, as well as corporate information, against determined cyber-criminals. Therefore, in an era where any general-purpose operating system (OS) with end-user access can be hacked, we propose using dedicated security hardware to ensure that only authorized people obtain access to sensitive information. The fundamental principle involves booting the end-user computer from such a trusted mobile device without trusting any software installed on the computer. The device establishes a secure connection to the back-end infrastructure to provide access to the user's OS, e.g., through a remote terminal access or provisioned on the local computer. The solution is very simple to operate, as many corporate employees are not necessarily IT (information technology) savvy. In this paper, we discuss the combination of our dedicated tamper-resistant security boot-token operating user credentials with known defense mechanisms, such as OS virtualization, trusted boot, establishment of client-side and server-side authenticated secure channels to trustworthy back-ends, and client-side storage encryption. This novel combination forms an easy-to-use and highly mobile security solution that addresses security challenges of the BYOD (bring-your-own-device) approach. As a proof point for the latter claims, we report on initial real-world usability tests.