Industry Insights: The Trusted Computing Dilemma

Several proprietary approaches to this type of policy enforcement are available. Our Feb. 19 "On Location" case study discussed the University of Florida's Icarus software, which enforces network policies by monitoring traffic and removing machines from the network when they misbehave. The InfoExpress CyberGatekeeper, which we reviewed in the same issue, is also designed to enforce network policies.

The Trusted Computing Group (www.trustedcomputing group.org), an industry standards organization, is using 802.1X, RADIUS and EAP in a methodology it calls "Trusted Network Connect" (contributing editor Robert Moskowitz details its efforts in "Can Trust Be Put Into Computing?,"). The group demoed the technology at NetWorld+Interop in Las Vegas last week; you'll find a primer here.

Who's in Control?

But what if the user's computer is no longer controlled by the network admin? Instead, the applications on that computer must meet a policy set by your hardware and software vendors, if you want their ongoing support. This "trusted computing" scheme would be great for ensuring that software is licensed properly and hasn't been tampered with, and for running distributed applications on unknown computers, but it also could be abused by those implementing it.

In "Trusted Computing: Promise and Risk", Electronic Frontier Foundation staff technologist Seth Schoen provides some hypothetical scenarios that don't bode well for trusted computing, at least not from the user's side. He envisions situations in which external parties dictate which software your machines run. Microsoft's IIS could restrict communication to Internet Explorer, for example, or AOL could force people to use only its IM client.