Enhancing security of enterprise owned devices leveraging TPM based identities

Today, enterprises and large organizations face significant challenges in securing their client fleets, especially as cyber threats grow and become more sophisticated. In addition to user authentication, it is useful for the enterprise to identify the device being enrolled, used and its trust status (i.e. how it is managed). For example, an enterprise will often want to differentiate between domain managed devices and BYOD (Bring your own device) systems and the more restricted secure systems for sensitive operations. Device identities provide a mechanism to build this trust. These device identities need to be tied to the hardware platform such that the enterprise knows the device accessing cloud and network resources. The presence of Trusted Platform Modules (TPMs) on client devices enables us to use such identities. A TPM is a small cryptographic coprocessor that, among many other features, allows a device to securely generate and manage cryptographic keys in a secure and dedicated hardware chip. This reduces the attack surface, and the risks related to the usage of in-memory keys and stops keys being moved to alternative systems. There is a TPM based device identity standard that defines a manufacturer issued Initial Device IDentity (IDevID), binding the TPM identity to the platform identifiers (serial number). These assertions, bound to TPM keys and provided as X509 certificates, can be later verified and used as a trust anchor through the lifecycle of the device. From these IDevIDs further Local Device Identities (LDevIDs) can be issued for specific purposes. This thesis introduces a proof-of-concept showing how an enterprise can manage device identities for their PC fleet. The PoC is an Azure App which would be installed in an enterprise’s Azure tenant. This way it can be integrated with enterprise resources such as the Azure Active Directory (AAD) provides information about users, their rights and roles along with which devices. The PoC shows how the enterprise can manage device identities over the lifetime of the device from the initial enrollment with IDevID checks through to issuing and revoking LDevIDs allowing access to different corporate resources based on the groups a user and the device are in within the AAD. The PoC provides also a dashboard, allowing the administrator to see and manage the status of the DevIDs.