A nice Q&A session with the editor in chief of All About Security, touching on questions about everything from Wave CEO Bill Solms’ background and his vision for the future of Wave, to Bill’s take on tackling the ever-challenging cybersecurity culture and even dabbling in the media-soaked controversy surrounding the Snowden effect.
Davor Kolaric: You became CEO of Wave Systems nine months ago, when you replaced your predecessor Steven Sprague, who had led the company for nearly twenty years. What changes can we expect under your leadership?
Bill Solms: That’s correct. I’ve been on board as CEO since mid October 2013, taking the place formerly occupied by Steven. He was with Wave for almost twenty years, including fifteen years leading the company as its CEO. Alongside a simplification of our product pricings, the most important change is surely a stronger focus on “solution selling”—we sell solutions, not products. In the past, we had strongly concentrated on explaining our technology and the open industry standards that stand behind it: What is a TPM? How does an encryption algorithm work? Who comprises the Trusted Computing Group? What are OPAL standards? Answering these and other questions was our focus. But now it’s much more important to provide companies with solution-oriented explanations, i.e. to explain exactly which problems can be solved with our products. On the one hand, we have our ERAS solution to administrate self-encrypting hard drives. On the other hand, we have ERAS for the management of TPMs, to which our new virtual smart card VSC 2.0 belongs as a use case.
DK: Yes, I wanted to talk about that. Wave recently began marketing VSC 2.0, i.e. the second generation of the virtual smart card. How does a virtual smart card work? And how does it differ from a physical smart card or a token?
BS: VSC 2.0. solves a very specific problem in the area of two-factor authentification. Companies ordinarily use physical smart cards with chips or USB tokens for this. But the problem here is that these little objects are likely to be lost. A recent study found that one-third of these physical tokens either get lost or need to be replaced by new ones because they no longer work properly, for example, after they’ve gone through a security scanner at an airport. This generates a lot of administrative work and significantly increases expenses. With VSC 2.0, we offer companies a type of two-factor authentification that’s 50% to 75% less costly. Wave’s virtual smart card emulates the functions of a physical smart card by connecting the user’s credentials and the device’s identity. This happens with and in TPM, a security chip built into almost all endpoints by the most widely diverse manufacturers because it’s subject to open industry standards. For authentification, the user simply has to remember his password. The second factor, i.e. the “token,” is present in virtual form and securely protected directly on the motherboard of the user’s endpoint device.
DK: Against which specific security problems does this solution provide protection?
BS: It simply makes sense to connect the user’s identity and the device’s identity. Perhaps you recall the security incident that occurred in November of last year at Target, the US chain of retail stores? Hackers successfully stole valid user credentials that had been deposited in the system for maintenance purposes. Afterwards the hackers used the access data to penetrate more deeply into the company’s network, where they gained access to considerably more sensitive data. This sort of thing cannot happen if you use a virtual smart card. Even if a hacker succeeds in getting his hands on valid user data, ERAS will deny him access to the surroundings or to the application if these [i.e. the surroundings or the application] aren’t connected with the ID of an administrated device that was assigned to this user or this specific group of users. This means that a hacker must bring the targeted user’s device into his possession and then disable the device’s security mechanisms. That’s very difficult because the TPM is firmly attached to the motherboard. Afterwards the hacker must type in the stolen but still valid user data before the theft of the device is detected and access is blocked.
DK: Hasn’t this solution already been available from Microsoft for a long time? Why is Wave bringing VSC 2.0 to the market now?
BS: It’s true that Microsoft also offers a virtual-smart-card function. But as is usual with partner solutions, we’ve invested a great deal of time and research to optimize this solution. It’s very simple for users and administrators to operate and administrate ERAS. But probably the most interesting aspect is this: Wave’s VSC 2.0 is the industry’s only enterprise-class solution for the management of virtual smart cards that’s not only compatible with Windows 8 and 8.1, but also compatible with Windows 7. Our market research has shown that there’s still a very strong need for precisely this capability.
DK: In the wake of the Snowden affair, do you believe that purchasers will still have confidence in a technology that works on the basis of TPMs?
BS: TPMs are manufactured in accord with the open industry standards of the Trusted Computing Group. This group’s current chairman is a German: Dr. Jörg Borchert from Infineon. Other members of its board of directors come from Fujitsu, Intel, Lenovo, Cisco, IBM, HP, Dell, Juniper and also from Wave Systems. This means that we’re dealing here with a globally functioning association of businesses. The encryption is based on well-known algorithms—Boudewijn Kiljan, our CTO EMEA, can certainly explain this to you better than I can [e.g. here and here—Editor’s note]. What’s much more important are the specific problems that ERAs can solve for customers. ERAS isn’t the TPM. Wave doesn’t manufacture TPMs, but we deliver security-management software to administrate special hardware, namely: TPMs or SED-SSDs. Some people aren’t clear about this distinction.
DK: Yes. Wave became well known through its solutions for the management of self-encrypting hard drives. Is this technology also based on the TPM?
BS: ERAS for SED-SSDs is somewhat different from ERAS to administrate TPMs. ERAS administrates certificates and user credentials. And we can do that with ERAS for SED-SSDs (i.e. self-encrypting hard drives) or for terminal devices equipped with a TPM. That’s a current total of 2.1 billion endpoints.
DK: Wave can also protect against APTs. How?
BS: One of our products is WEM, the Wave Endpoint Monitor. WEM can be implemented to monitor particular values in TPM. This involves so-called “PCR values.” These values change when a rootkit is smuggled in. WEM detects suspicious patterns in these changes and can sound the alarm. With WEM, we offer the best-possible early-warning system against advanced persistent threats because all of these monitoring processes and the potential automated responses to suspicious patterns occur before the startup of the computer and the operating system. No other product accomplishes this.
DK:What is Wave prioritizing for the future?
BS:Wave Systems will continue to play a pioneering role in terms of technology. For example, we’re working on additional solutions to safeguard mobile telephones. Another field of business is to safeguard so-called “card-not-present transactions,” i.e. payments via credit card in online shops. I’m not at liberty to divulge any further details about this, but I can say that we’re in the process of expanding our technological partnership in both of these areas.
BS:: Thank you for talking with me, Mr. Solms.
BS:: I thank you, Mr. Kolaric.
Incidentally: a clear and descriptive video about VSC can be found here.