Laptop Mobility Means Vulnerability
To judge by recent news reports, the most popular place to store confidential data these days is on a poorly secured laptop. Indeed, data-filled PCs seem to go missing as often as Lindsay Lohan checks into rehab.
Last year, a stolen agency laptop and hard drive lifted from the home of a U.S. Department of Veterans Affairs employee contained personal information on 26.5 million former and active military personnel. Another laptop was stolen from a locked hotel room with data on 50,000 General Electric Co. employees. You would think either of these incidents would make for a good wake-up call.
Data is more mobile than ever, and thanks to inaction -- and often, the wrong action -- on the part of companies, it is more vulnerable than ever. Most enterprises follow the basic steps: installing firewall and anti-virus software on their laptop fleets; telling users that it's not a good idea to leave the machine in the airport lounge while they buy cough drops; or to carry it in a bag with a big Dell logo on it. But they miss other, crucial steps.
It doesn't have to be this way. With a bit of forethought, law departments and IT can come up with policies that prevent the loss of crucial data, or at least keep it from prying eyes when it goes AWOL. Here's how:
DON'T GO OVERBOARD
A common mistake that companies make is to read the horror stories of compromised data and overreact. Draconian laptop-use policies may, ironically, increase an enterprise's vulnerability.
You can, for example, forcibly keep users from saving files to their laptops. "But you have to think how employees are going to respond to that," says Andrew Cohen, associate general counsel and vice president, compliance solutions, for EMC Corp., a technology services company based in Hopkinton, Mass.
"In the real world, people are going to figure out where else they can put that data, and often it is going to be somewhere that is unmanaged with no security, like a thumb drive."
Instead, EMC opts for what it calls a blended approach. "We ask what content is being saved to that laptop," says Cohen. "If it's really sensitive stuff, it may be a good policy to keep people from dropping that data onto their laptop," and saving it, for example, to a secure corporate server.
EMC also discovered that IT policies that seemingly had nothing to do with data security did, in fact, affect it. When EMC instituted size limits on employee e-mail boxes, users simply found other places to store their messages. By getting rid of the limits, EMC was able to encourage people to leave sensitive files on e-mail servers, not their laptops. That way they could better secure the content.
USE FULL-ON ENCRYPTION
Encryption -- scrambling data so that it can be read only by an authorized user -- isn't the cloak-and-dagger technology it used to be. It's now so mainstream that Microsoft Corp.'s Windows (both XP and Vista) offers the capability (Vista's is better).
The problem is that many organizations don't use encryption wisely. They'll encrypt document folders, figuring that the data is safe because the folders are encrypted, but that's not how it works. "Open up a Word file in an encrypted folder, and 15 temporary files are created in the background" throughout the hard drive, says John Mallery, managing consultant at the accounting firm BKD, in Kansas City, Mo.
"Shut down Word, and those files, many containing parts of your document, are still on your hard drive and not in your encrypted folder," he says.
Another common mistake: creating encrypted "sanctuaries" on a hard drive and telling employees to stick their sensitive stuff there. People can forget, or simply make the wrong choice.
A better answer is to encrypt the full disk. Besides Windows, there are a host of third-party applications that will handle the job, including GuardianEdge Hard Disk Encryption, from GuardianEdge Technologies Inc., and SecureDoc Disk Encryption, from WinMagic Inc.
Prices vary depending on the size and needs of an organization, but you can generally expect to pay $50 to $200 per laptop. Free, open-source products, such as TrueCrypt, are also available. There are a couple of caveats with full-disk encryption. Decrypting the disk generally requires a password. You'll want an emergency route to your data -- a back door -- should you ever lose your code.
Some products, like TrueCrypt, leave the contingency planning to you. Others will have a mechanism to help you regain access to your data. Many large companies will have what is known as a "God I.D." -- a master password, typically held by the IT department -- as a fail-safe.
But that begs another question: Should one department, perhaps even one person, hold all the keys to the data kingdom?The better model, according to John Simek, vice president of Sensei Enterprises Inc., a legal technology and computer forensics company in Fairfax, Va., is to have two separate entities that must agree, and work together, before any action is taken (much the way nuclear missile launch teams used to operate). "You have the security organization that has the key, but not the access to the data, and the IT department, which has access but not the key," explains Simek. "Unfortunately, you don't see this model very often. Instead, it's all left to IT."
SWEAT THE SMALL STUFF
Remember, it's not just the laptop you need to worry about. Removable storage devices can plug into any computer and download gigabytes of data in seconds. These devices are easy to use and increasingly go everywhere, including a thief's pocket.
Indeed, some of this year's biggest security breaches haven't involved actual computers. In May, the federal Transportation Security Agency announced that an external hard drive, containing Social Security numbers and bank account information for some 100,000 employees, had gone missing. Fortunately, some slick new products, such as Safend Protector, from Israel's Safend Ltd., help firms control which devices can be plugged into which computers. "The good ones let you set exceptions, so you can let the general counsel hook up his iPhone," says Larry Seltzer, editor of eWeek Security Weblog.
USE BIOMETRICS, BUT
Fingerprint readers are an increasingly popular way of adding an extra layer of security to laptop use. In theory, they're a no-lose proposition: A thief would have to steal your laptop and your finger to gain access to your data (and at that point, data will be the least of your concerns). But users often forget a key step: Register more than one finger with the device. Cautions Simek: "If you cut or burn your finger, you're not getting into that laptop -- at least until you heal."
PHONE HOME
If there's one small comfort when your laptop is stolen, it's this: Most are swiped for the laptop itself, not the data it contains. But the longer the machine stays on the lam, the better the chance that someone will eventually dig through the disk. So a quick recovery is in your best interest.
Computrace Lojack for Laptops, from Absolute Software Corp., is a software-based homing beacon that periodically checks in with Computrace's monitoring center ($50 per year for one user).
If your laptop is stolen, you notify Computrace. The next time your machine checks into the system, it will be instructed to communicate every 15 minutes, so Computrace can get a fix on its location. Fortunately, the service doesn't make you go Charles Bronson on the bad guys: Computrace passes its information to law enforcement, which handles the recovery.
Alan Cohen is a New York-based writer who frequently reports on technology and legal affairs. A version of this story previously appeared in our sibling publication, Corporate Counsel.
Posts
No comments:
Post a Comment