Feeds

Of laptop data security

Done the basics - or sleepwalking along a precipice?

Internet Security Threat Report 2014

Perhaps the first thing to say is: “It's nobody's fault.” We could blame the laws of physics for the current capabilities of laptops, but not those who discovered them, nor those who have successfully pushed the data storage of hard disks to terabyte capacities. Nor indeed, the people who squeezed the processing equivalent of several mainframes into the flat rectangle of electronic wizardry that we give to our mobile workers.

The downside, of course, of being able to carry the equivalent of several million copies of Encyclopedia Britannica in a briefcase, is that we can now lose, corrupt or inadvertently reveal vast quantities of information, whereas before we could only do so for relatively small quantities. It is like living in a palace after living in a shed - but of course, the shed had one door and a single room to maintain.

All the same, the risks associated with storing data on a laptop remain relatively straightforward to define. First, any piece of information will have an associated value, be it a laundry list or the recipe for Coca Cola – it only takes one slip of paper to be left on a photocopier to find out the difference. Similarly, a single spreadsheet may contain cricket scores, or indeed the pricing structures offered to different customers.

The scale of today's laptops give us increased risk – it is now far easier to store a great deal more information than before. A terabyte could easily equate to the entire repository of information for many businesses for example, and with that much space available, it is tempting to store as much as possible. This does increase the risk of having high-value information in the mix, which also raises the bar in terms of protection needed.

CIA

We can consider the threats in terms of the acronym CIA - that's:

  • Confidentiality - that only those who should see the information, can see the information.
  • Integrity - that the information cannot be changed without authorisation or knowledge.
  • Availability - that the information is protected against loss.

For laptop users, there are some relatively straightforward mechanisms that can be implemented to reduce the risks of each.

Both confidentiality and integrity need to be dealt with in a number of ways. The first is to ensure the information itself is protected. By far the simplest mechanism is to ensure the laptop is password protected - either at login time, or for the more security conscious, in the bios.

But this does not protect against someone removing the hard drive. To protect against this, most current laptop operating systems have some kind of hard disk encryption mechanism built in – there’s Bit Locker for Windows Vista, for example.

Also, the Trusted Computing Group has just announced a specification for direct hard drive and USB stick encryption, which should help things even more.

Trainspotting

You don't have to be an expert to extract information from a laptop, if the person in front of it insists on showing it to all and sundry. On trains, in planes and in cafés, there have been countless, quite flabbergasting occurrences of business executives showing off their corporate secrets, in spreadsheets or slide decks.

It would be funny if it wasn’t so frequent – perhaps it is the ultimate demonstration of the belief that security breaches only happen to other people (the best example I can remember was a loud-mouthed senior exec of an systems integrator explaining to a colleague – and indeed the rest of the carriage – how to interpret next year’s competitive analysis spreadsheet).

It's not just the 'data at rest' that needs protecting, but also 'data in motion' - as we describe in another article for example, rogue Wi-Fi hotspots can be capturing information from unsuspecting users. Surprisingly perhaps, individuals do not always use the basic protections available to them - using secure channels to access their email servers, for example. For larger organisations, SSL VPN is another mechanism to protect against this threat – not only do such encrypted links give secure access to corporate systems, but this also means mobile workers will be using corporate protections when they access the Internet.

Data leakage protection (DLP) deserves a mention here, as a technology which will monitor what's being sent through a corporate firewall and block anything that looks suspect. We need to remember that security breaches can be as much down to stupidity as malice, and also that a laptop user may well be accessing the internet directly rather than via a VPN.

An information leak may be quite simply a case of attaching the wrong file to an email, or sending it to the wrong person - who hasn't inadvertently used the 'autocomplete' feature in their email client, and sent a document off to the wrong 'Sarah' or the wrong 'Graham'? As individuals we should question how much we need such features in the first place, and whether they are worth the risk.

And lets not forget the ever-so-obvious topics of anti-virus, personal firewalls and so on. Just because there isn't currently a big scandal about computer worms hacking information off hard drives and posting it on the Internet, that's probably just because the hackers haven't got around to it yet. Your McAfee or Norton may be up to date, but when did you last patch your operating system and applications?

Lastly, we have availability. This can be dressed up in all kinds of ways but in its most simple form it equates to being confident that the information we had yesterday will still be there tomorrow. The laptop’s biggest strength is also its greatest weakness in this respect - that of portability. It is quite possible to lose every last bit of information one has, just by leaving it on the bus. Equally, only the most resilient of laptops can resist the effects of knocking a glass of water over the keyboard; note also that most hard drives are mechanical - marvels maybe, but prone to damage.

The answer is backup - which can be as straightforward as taking a copy of important data on a USB stick and stowing it somewhere sensible (USB sticks can be a solution as well as a problem – but see confidentiality, above). Mobile workers don't always have access to corporate systems, which means they are not always going to be supported by corporate backup mechanisms; equally, offline access can result in storing more information than strictly necessary on the local drive. Using a laptop without doing personal backups is like driving without a safety belt, in the vain hope that accidents only happen to other people.

In conclusion then, there may be corporate mechanisms in place for data security, but these do not always extend out to laptop users. There’s always more that we can do, but those who do not follow the basics are sleepwalking along a precipice. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Will.i.am gets CUFFED as he announces his new wristjob, the PULS
It's got four KILOWATTS of something, apparently
Don't wait for that big iPad, order a NEXUS 9 instead, industry little bird says
Google said to debut next big slab, Android L ahead of Apple event
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
A drone of one's own: Reg buyers' guide for UAV fanciers
Hardware: Check. Software: Huh? Licence: Licence...?
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Jaguar Sportbrake: The chicken tikka masala of van-sized posh cars
Indian-owned Jag's latest offering curries favour with us
The Apple launch AS IT HAPPENED: Totally SERIOUS coverage, not for haters
Fandroids, Windows Phone fringe-oids – you wouldn't understand
Here's your chance to buy an ancient, working APPLE ONE
Warning: Likely to cost a lot even for a Mac
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.