IBM J. Res. Dev

IBM secure enterprise desktop

View publication


Using software-only approaches makes it is practically impossible to completely secure software applications, as well as corporate information, against determined cyber-criminals. Therefore, in an era where any general-purpose operating system (OS) with end-user access can be hacked, we propose using dedicated security hardware to ensure that only authorized people obtain access to sensitive information. The fundamental principle involves booting the end-user computer from such a trusted mobile device without trusting any software installed on the computer. The device establishes a secure connection to the back-end infrastructure to provide access to the user's OS, e.g., through a remote terminal access or provisioned on the local computer. The solution is very simple to operate, as many corporate employees are not necessarily IT (information technology) savvy. In this paper, we discuss the combination of our dedicated tamper-resistant security boot-token operating user credentials with known defense mechanisms, such as OS virtualization, trusted boot, establishment of client-side and server-side authenticated secure channels to trustworthy back-ends, and client-side storage encryption. This novel combination forms an easy-to-use and highly mobile security solution that addresses security challenges of the BYOD (bring-your-own-device) approach. As a proof point for the latter claims, we report on initial real-world usability tests.