Of laptop data security
Done the basics - or sleepwalking along a precipice?
Perhaps the first thing to say is: “It's nobody's fault.” We could blame the laws of physics for the current capabilities of laptops, but not those who discovered them, nor those who have successfully pushed the data storage of hard disks to terabyte capacities. Nor indeed, the people who squeezed the processing equivalent of several mainframes into the flat rectangle of electronic wizardry that we give to our mobile workers.
The downside, of course, of being able to carry the equivalent of several million copies of Encyclopedia Britannica in a briefcase, is that we can now lose, corrupt or inadvertently reveal vast quantities of information, whereas before we could only do so for relatively small quantities. It is like living in a palace after living in a shed - but of course, the shed had one door and a single room to maintain.
All the same, the risks associated with storing data on a laptop remain relatively straightforward to define. First, any piece of information will have an associated value, be it a laundry list or the recipe for Coca Cola – it only takes one slip of paper to be left on a photocopier to find out the difference. Similarly, a single spreadsheet may contain cricket scores, or indeed the pricing structures offered to different customers.
The scale of today's laptops give us increased risk – it is now far easier to store a great deal more information than before. A terabyte could easily equate to the entire repository of information for many businesses for example, and with that much space available, it is tempting to store as much as possible. This does increase the risk of having high-value information in the mix, which also raises the bar in terms of protection needed.
We can consider the threats in terms of the acronym CIA - that's:
- Confidentiality - that only those who should see the information, can see the information.
- Integrity - that the information cannot be changed without authorisation or knowledge.
- Availability - that the information is protected against loss.
For laptop users, there are some relatively straightforward mechanisms that can be implemented to reduce the risks of each.
Both confidentiality and integrity need to be dealt with in a number of ways. The first is to ensure the information itself is protected. By far the simplest mechanism is to ensure the laptop is password protected - either at login time, or for the more security conscious, in the bios.
But this does not protect against someone removing the hard drive. To protect against this, most current laptop operating systems have some kind of hard disk encryption mechanism built in – there’s Bit Locker for Windows Vista, for example.
Also, the Trusted Computing Group has just announced a specification for direct hard drive and USB stick encryption, which should help things even more.
You don't have to be an expert to extract information from a laptop, if the person in front of it insists on showing it to all and sundry. On trains, in planes and in cafés, there have been countless, quite flabbergasting occurrences of business executives showing off their corporate secrets, in spreadsheets or slide decks.
It would be funny if it wasn’t so frequent – perhaps it is the ultimate demonstration of the belief that security breaches only happen to other people (the best example I can remember was a loud-mouthed senior exec of an systems integrator explaining to a colleague – and indeed the rest of the carriage – how to interpret next year’s competitive analysis spreadsheet).
It's not just the 'data at rest' that needs protecting, but also 'data in motion' - as we describe in another article for example, rogue Wi-Fi hotspots can be capturing information from unsuspecting users. Surprisingly perhaps, individuals do not always use the basic protections available to them - using secure channels to access their email servers, for example. For larger organisations, SSL VPN is another mechanism to protect against this threat – not only do such encrypted links give secure access to corporate systems, but this also means mobile workers will be using corporate protections when they access the Internet.
Data leakage protection (DLP) deserves a mention here, as a technology which will monitor what's being sent through a corporate firewall and block anything that looks suspect. We need to remember that security breaches can be as much down to stupidity as malice, and also that a laptop user may well be accessing the internet directly rather than via a VPN.
An information leak may be quite simply a case of attaching the wrong file to an email, or sending it to the wrong person - who hasn't inadvertently used the 'autocomplete' feature in their email client, and sent a document off to the wrong 'Sarah' or the wrong 'Graham'? As individuals we should question how much we need such features in the first place, and whether they are worth the risk.
And lets not forget the ever-so-obvious topics of anti-virus, personal firewalls and so on. Just because there isn't currently a big scandal about computer worms hacking information off hard drives and posting it on the Internet, that's probably just because the hackers haven't got around to it yet. Your McAfee or Norton may be up to date, but when did you last patch your operating system and applications?
Lastly, we have availability. This can be dressed up in all kinds of ways but in its most simple form it equates to being confident that the information we had yesterday will still be there tomorrow. The laptop’s biggest strength is also its greatest weakness in this respect - that of portability. It is quite possible to lose every last bit of information one has, just by leaving it on the bus. Equally, only the most resilient of laptops can resist the effects of knocking a glass of water over the keyboard; note also that most hard drives are mechanical - marvels maybe, but prone to damage.
The answer is backup - which can be as straightforward as taking a copy of important data on a USB stick and stowing it somewhere sensible (USB sticks can be a solution as well as a problem – but see confidentiality, above). Mobile workers don't always have access to corporate systems, which means they are not always going to be supported by corporate backup mechanisms; equally, offline access can result in storing more information than strictly necessary on the local drive. Using a laptop without doing personal backups is like driving without a safety belt, in the vain hope that accidents only happen to other people.
In conclusion then, there may be corporate mechanisms in place for data security, but these do not always extend out to laptop users. There’s always more that we can do, but those who do not follow the basics are sleepwalking along a precipice. ®