Control Not Technology Is The Security Challenge

by Paul Mah / Nov 24

The increasing number of laptops and mobile devices on the market has created a situation where IT folks are facing increasing difficulties to ensure that corporate information is kept secure. If anything, the increasing number of high profile cases involving data loss should serve as a warning that the situation is untenable and is reaching critical mass.

While technological solutions abound, the very diversity of laptops and mobile devices actively works against any single solution. For example, the release of Apple’s iPhone last year suddenly had IT departments scrambling to deal with yet another platform that employees are bringing into the office. In many cases, managers and staff might be demanding that they be allowed to access their corporate emails from these gadgets.

In this regard, we must recognize that the key challenge that we face has more to do with the issue of control rather than technology. Increasingly technology-savvy employees see no reason why they cannot be allowed to access corporate data from their personal laptops or Smartphones. To address this issue, I would like to suggest that we approach this from a different paradigm.

Companies need to wake up to the fact that the trend of staff bringing in external laptops and Smartphones will not only continue, but will in fact accelerate. But it would be difficult and unpopular for companies to demand that staff comply with certain security measures on their personal devices. However, the matter is different if these devices are actually owned by the company. This might involve loaning out company-acquired laptops, or paying an allowance for use of a personal laptop belonging to a staff. The allowance pays for depreciation of the equipment, as well as any associated inconvenience that comes with implementing various security measures. In the latter case, employees are free to bring the laptop with them upon leaving the organization – once confidential data has been confirmed as removed.

Once clear ownership of the laptops or mobile devices has been established, it becomes easier when it comes to dealing with security in the form of theft or accidental loss.

There are many options when it comes to ensuring personal security or privacy. Where a laptop is concerned, the obvious solution would be to leverage upon full disk encryption that is tied to Trusted Platform Module (TPM). Depending on various factors however, this might be impractical to implement overnight due to the fact that a complete overhaul of existing hardware and expensive software commitment might be necessary. In addition, it must be noted that full disk encryption does nothing to mitigate the ability of service personnel granted temporary access to peer into data that they have no business in. This is probably best exemplified by the case of Hong Kong-based actor Edison Chan who had service personnel pinch various scandalous photos of himself being intimate with various actresses from his personal laptop when it was sent in for servicing. The resultant outroar cut short his career and had him leaving the country in disgrace.

A more moderate and less invasive approach here would be to issue out personal flash drives with an on-board authentication and encryption. What it means is that all data on these flash drives are encrypted on-the-fly the moment they are copied in. They will only be accessibly only upon furnishing the correct password. The IronKey might be a consideration, though similar devices are now widely available on the market.

Obviously, user training will be required, especially since the drive capacities for such specialized flash drives are still relatively low at between 4GB to 8GB. However, I believe it will be relatively easy to train even novice users that only data on the encrypted flash drive should be considered secure. Another added advantage would be that users will become more conscious of following backup procedures as well. As such, it represents the best compromise between.

• Add Comment