The JW Secure Informer logo

archive blog contact

Data Security Requires
Policy Plus Enforcement

JWSecure informer imagery


Recent front-page news about data theft, such as from the US Govt. Office of Personnel Management, serves as a reminder that security is a multi-layered challenge. In the domain of information security, the defenders are always at a disadvantage. That means that diligence, and a motivation to move beyond simple "checkbox compliance," are required in order to mount an effective defense.

Typical IT policy standards include stated requirements for encryption and auditing. But turning generic terms of art into real security requires judgement and skill. Compliance and actual security are not the same thing.

The good news is that we already know the solution for better data security: defense in depth. Start with inventory and data classification. Distinguish between sensitive (for example, a line of business database) and everyday (for example, the internet) network resources.

Next, add policies for authentication, authorization, confidentiality, and auditing. Don't allow network connections to sensitive assets unless meaningful security policies are in place.

Finally, add the linchpin: enforcement. Meaningful security policies to enforce include:

  • Hardware-based disk encryption
  • Whitelisted firmware, operating system, and application software components
  • Strong authentication of the user plus the host device

What to Enforce

Existing computing platforms such as Windows 8 and Linux allow many policies to be checked using hardware root of trust and platform attestation. On Windows, these policies include:
  • BitLocker with TPM and PIN: mitigate the threat of offline attacks
  • Driver Authenticode Signatures: whitelist early-boot software components from trusted OEMs
  • Early Launch Anti-Malware: initiate anti-virus protection before other operating system components initialize
  • Kernel debugging (i.e., that it's disabled): don't give users more privilege than they need in order to be productive
  • Kernel-Mode Code Integrity: only run digitally signed binaries in the operating system kernel
  • TPM storage and endorsement hierarchy attestation: bind credentials to a specific device
  • TPM trusted manufacturer Endorsement Key: ensure hardware root of trust from known OEMs
Notably, new policies coming in Windows 10 include: However, it's not enough to just enable those policies. After all, many attacks start by disabling host security features. Plus, for usability reasons, most systems prompt for user credentials only occasionally, relying on cached session state in the interim. That's why it's important to enforce security policies in real-time whenever an attempt is made to access sensitive data. To learn how to do that, read on.

How to Implement Enforcement

In order to enforce security policy, make authorization conditional on compliance. That is, if the computer or user account are not compliant with security policy, any attempt to access sensitive network resources must be prevented. Sounds simple enough, but as stated previously, the complexity (and old age) of network security protocols can make this challenging. And we can't sacrifice usability without risking end-user mutiny.

Despite the challenge, several mechanisms are available today for implementing security policy enforcement with reasonable usability:

  • Enforce the hardware root of trust mechanisms described above using remote platform attestation
  • Bind user and computer credentials to a specific device in a specific state. TPM sealed keys are one way to do this.
  • Integrate new authorization capabilities in a standards-based way so that existing line of business applications can use them. This can be done with PKI or token/federation-based integration, for example.
  • Limit the lifetime of derived credentials and protocol session state, including automatic forced cleanup when a policy violation occurs.
The JW Secure StrongNet Secure Admin solution is one example of the above approach. Complementary solutions that implement a subset of these techniques include Google Chromebook, Intel Trust Attestation, Microsoft TPM Key Attestation, and StrongSwan.

For more information, please reach us at, and visit the links below.


Keep in touch


Just for laughs

JW Secure Informer cartoon

Quote of the month

I know not why there is such a melancholy feeling attached to the remembrance of past happiness, except that we fear that the future can have nothing so bright as the past.
- Julie Ward Howe -

Thank you for reading the JW Secure Informer

The JWSecure Informer is a bimonthly newsletter that can be sent directly to your inbox. Please add to your safe sender list. To subscribe, or contact Customer Care, use the links below.
Update Your Preferences | Subscribe | Contact Us | Privacy Policy
This information has been organized and published by:
JW Secure, Inc.
1752 NW Market St. • Suite 227 • Seattle, WA 98107
© 2015 JW Secure, Inc. All Rights Reserved.