The CIA Model for Digital Nomads

by Stephen Foskett / Oct 21

IT security experts apply a three-phase approach to security, considering confidentiality, integrity, and availability of systems. This so-called CIA model is equally applicable to digital nomads, and helps define the various areas they need to protect.

Confidentiality

It is critically important for most businesses to keep their data from prying eyes, both for internal business and competitive reasons and to avoid legal or regulatory trouble. This is doubly true for digital nomads, since they tend to take sensitive data with them and transmit it through a variety of means.

Laptop users should use encryption to protect the confidentiality of their data, since laptop theft is common. There are many options for encryption of data on disk, but most fall into two categories: File-level or full-disk.

Most operating systems, including most recent versions of Windows, include options for file-level encryption, and these have proven fairly solid over the years. Once they are set up, these are extremely easy to use: A user simply right-clicks on a file and selects “encrypt”. There are a number of third-party encryption options as well, and these vary widely in both ease of use and security. Note that these do not necessarily hide the existence of data, however, so a lost laptop would still reveal the name and type of files contained on it.

Full-disk encryption is not as widely deployed, but can be far more effective. Rather than requiring the user to select which files to encrypt, products like PGP Desktop and Windows Vista’s built-in BitLocker software lock an entire drive or partition, requiring a password on bootup. Note that BitLocker requires special hardware to work effectively, making it unsuitable for some laptops. Some disk drives also feature built-in encryption hardware, but these are much more rare.

Regardless of the encryption method used, however, key management is critical. No one wants to be locked out of their own data if they forget a password or experience a software or hardware failure, so make sure some alternative mechanism is in place to recover the data. And if a thief was to guess the user’s password or gain access to a running system, the data could still be compromised.

Remember the data on removable drives as well, since these can be even easier to steal or misplace. Portable hard drives used for backup or USB flash drives used to transport data must also be encrypted to avoid data loss.

Finally, digital nomads must be careful about which networks they use to transmit data. Open Wi-Fi access points might seem to be a handy bargain, but they have also been used to gain access to sensitive data. Hotel and corporate guest networks can also be used in this manner. It is better to rely on 3G modems which are harder to snoop. One should also always use VPN software or secure web sites when dealing with sensitive data.

Integrity

Keeping people out is sometimes less important than ensuring that one is working with valid data to begin with. Most people are aware of so-called phishing attacks, where an email entices a user to hand over their credentials, but there are many other potential attacks on the integrity of data. The same vectors used to give unauthorized access can be used to substitute untrustworthy data, and this can be just as damaging.

Many of the same technologies that protect confidential data can help with integrity. Encryption systems will ensure that data read from disk matches what was written, something that most filesystems surprisingly do not do. But no amount of encryption can protect from a user’s inadvertent writing of un-trusted data.

The first line of defense, especially for mobile workers, is training. Once again, open Wi-Fi hotspots and other untrustworthy networks should be avoided, and virus scanning and firewall software is a must. The Firefox web browser recently introduced a friendly mechanism to verify many popular web sites, but this is not widely deployed for corporate systems. Mobile users should also avoid relying too much on emailed content, since it can be compromised in transit, and should instead use more secure repositories and applications.

Availability

The final element in the CIA model, availability, is often overlooked. Constant travel can cause one to adapt to losses of connectivity by carrying more and more data along, but this opens the door to breaches of confidentiality and integrity of data. Conversely, an extremely secure system could be entirely inaccessible to a traveler, especially for those who spend a great deal of time in the air.

Digital nomads need to strike a balance, carrying enough data to get their work done but protecting the interests of the company (and themselves) by protecting it. Remote network-based backup can be a useful way of protecting laptop data, but these services can demand greater network resources than are available on the road, and restoring a great deal of data can be prohibitively time consuming. Digital nomads will augment these with mobile backups (to encrypted disk) in case a laptop is lost or damaged, since these allow for much quicker recovery.

The availability of 3G data is a tremendous help to the digital nomad as well, since they can be confident that their data will be accessible from wherever they are (on the ground). And nothing can substitute for a solid smartphone, giving quick access to critical email, calendar appointments, contacts, and light web browsing.

By paying attention to all three axes of the CIA model, digital nomads can enhance their ability to get the job done.

Stephen Foskett is a professional information technology consultant, providing vendor-independent strategic advice to assist Fortune 500 companies in aligning their storage and computing infrastructures with their business objectives. He has been recognized as a thought leader in the industry, authoring numerous articles for industry publications, and is a popular presenter at seminars and events. In 2008, he was awarded Microsoft’s Most Valuable Professional (MVP) status in the area of File System Storage. He holds a bachelor of science in Society/Technology Studies, from Worcester Polytechnic Institute.

• 2 Comments