IBM’s research team in Zurich, Switzerland is up to more than just making pretty pictures of molecules. The researchers have also turned their attentions to something more practical to the rest of us with office jobs: Secure, remote, corporate desktop PC environments, delivered within seconds by simply plugging in a USB stick into your existing personal PC.
The new technology, called the Secure Enterprise Desktop, is a modified version of an earlier device called the Zone Trusted Information Channel, or ZTIC, which was first developed by IBM almost three years ago specifically to help Swiss banks — famously among the most secure, private and well-regarded in the world — to protect users against the increasing threat of “man in the middle” attacks. These type of attacks take advantage of even supposedly secure Web banking software to intercept user information.
“The main issue for the banks was that no matter how secure their servers are, end-users possibly still have malware on their PCs,” said Dr. Michael Baentsch, the IBM researcher who developed the technology, in a telephone interview with TPM.
“What this meant is that we needed to create an additional level of protection outside the level of the PC itself, a piece of hardware combined with security software running outside the PC,” Baentsch elaborated. “What we came with was a USB device with its own crypto-engine.”
The new device is internally called an eZTIC, for “enterprise” version. Once plugged into a user’s Windows or Linux computer, the encrypted USB sidesteps the actual PC itself and establishes a direct connection with the corporate servers, serving up a fully-loaded corporate desktop environment entirely remotely within just 2 minutes, including software the user doesn’t even have on his or her PC, such as Microsoft Office products.
“Whatever software you want will work,” said Baentsch.
The result, as an IBM informational release explains, is that “malicious software (either in the network or on the user’s PC) cannot interfere with the data transmitted between eZTIC and backend server.”
The encrypted USB device itself appears on a user’s PC as a storage drive, and presents a message if the computer failed to boot the remote desktop environment correctly, indicating a possible security breach. Even if a worker manages to lose the encrypted USB device or someone steals it, the network and the device itself are protected, as the device itself doesn’t contain application data, just instructions for communicating with the cloud. The USB also has additional layers of protection, such as requiring password entry or even a physical badge to be scanned.
Moreover, one the initial desktop has been loaded from the cloud, the user can access it any time thereafter even offline, using the USB. That’s because the USB contains disk images for loading the entire desktop environment as it was last accessed and store changes made offline. Once reconnected to the cloud, the USB will save any changes that the user made on his or her desktop environment back again to the cloud.
Thus, IBM hopes to save corporations and businesses of all sizes the hassle of having an IT person manually check every person’s PC for malware, or having a security software program automatically check them, which could potentially be compromised by another piece of malware.
“Any person can be hired to work for a particular company with any particular security requirements,” Baentsch told TPM. Including, of course, freelancers. “This eliminates the need for employees to carry around company-issued laptops that have all their data on them, vulnerable to theft, loss or intrusion.”
IBM’s goal: To help usher in the era of “bring your own device,” BYOD, a trend that’s already taken off around the globe and posed workplaces with numerous challenges regarding compatibility and security. But IBM hopes to go another step further and pose make the BYOD age the most secure yet.
“We’ve successfully tested in a few Swiss banks,” said Baentsch of his ZTIC devices, citing the Union Bank of Switzerland (UBS) as one example.
Baentsch said that IBM will begin customer trials this year and aims to have the device on the market in 2013.
“We’re very much driven by people around us,” Baentsch mused. “Here in Zürich, in Europe in general, there’s a strong tendency for people to be privacy incentivized. The climate and the banks have pushed this to extraordinary levels of requirements, which in turn pushes us to extraordinary levels of innovating new solutions. Of course, other companies besides banks have these problems with advanced persistent threats. Now we have an answer.”
Correction: This post originally erroneously conflated the ZTIC device with the eZTIC device. In reality, they are two distinct devices, with banks using the ZTIC and IBM testing the eZTIC internally. The post also originally did not cite any banks that had tested the ZTIC device due to confidentiality agreements. IBM provided additional information that Union Bank of Switzerland (UBS) used the device. The post has been corrected and updated in copy, and we regret any errors.
