When to use a TPM
TPMs are most useful for three kinds of tasks: remotely identifying a machine, or machine authentication; providing hardware protection of secrets, or data protection; and providing verifiable evidence about a machine's state, or attestation. Each of these categories covers a wide range of real-world applications, and some applications take advantage of multiple categories. In all cases, it's important to consider whether a TPM is the best tool for the job. TPMs are ubiquitous among enterprise computers, and have zero or minimal additional purchase costs, in contrast to smart cards or high-end cryptographic coprocessors. They have a number of specialized functions which can be very powerful in enterprise environments, and which are hard to find elsewhere. However, TPMs are also slow and not suitable for rapid, bulk operation. Using them, at least today usually requires investing in specialized software, often written in-house; in some cases, they even require custom changes to an enterprise's PKI. If you have a single use case which could use the TPM and a more widely deployed technology equally well, you may consider the overhead costs of setting up and integrating TPMs a negative deciding factor. However, if your enterprise is well placed to take advantage of several TPM features in diverse applications, the net benefits from TPM integration may well justify the initial overhead costs; if TPM deployment is done well once, the cost of each additional use case will be quite small.
When to use a TPM, Page 1 of 2
< Previous page Next page > /docserver/preview/fulltext/books/pc/pbpc013e/PBPC013E_ch2-1.gif /docserver/preview/fulltext/books/pc/pbpc013e/PBPC013E_ch2-2.gif