There are many aspects to network security but it is often the risks associated with the humble laptop PC that gets overlooked.
The portability of laptops makes them inherently vulnerable; they are designed to be portable. Traditionally, people and organizations consider laptop security from the perspective of the financial value of the device but as the cost of laptops has reduced it is likely that the information contained on a laptop’s hard disk is more valuable than the laptop itself.
There are a number of simple measures that can be taken to protect laptops and the information they contain such as not leaving them unattended in public areas or in parked cars (whether on display or not). This is an issue that can be addressed by training, but even the most careful person can make mistakes. So what can be done to protect the data against compromise when a laptop is lost or stolen?
It would be relatively simple to design a system where little or no data is held on the laptop itself; this would require the use of some type of thin client arrangement such as Windows Terminal Services or Citrix where all applications run and all data is held on centrally located servers and the endpoints simply function as a “dumb” terminal that simply provides an interface to the user. The problem with this kind of implementation is that constant connectivity is required to the central data centre(s) hosting the applications.
So, given that most users are going to store some data locally what can be done to prevent this data falling into the wrong hands. The answer is to encrypt some or all of the information held on the local hard drive; there is a wide choice of products available to achieve this; however, some considerations in selecting a product.
Ease of use – the product has to be easy to use and the process of encryption and decryption as transparent as possible to the user. Most people are not technical and if they are provided with something that is difficult to use they will not use it.
Security of the encryption algorithm
Management of encryption keys – it is important that the organization as the ability to manage encryption keys. Under section 53 of the Regulation of Investigatory Powers Act (RIPA)(UK) the police have the powers to demand the decryption of data or the production of decryption keys; it is clearly important that an organization should be able to comply with this requirement.
Security of passwords/encryption keys when held in memory – at some point most encryption systems are going to hold user passwords or encryption keys in dynamic memory. When this occurs there is a risk that a malware program that has infected the laptop could steal this information and provide it to a third party; therefore, any encryption system should provide some method of obscuring or protecting this information while it is held in dynamic memory.
Next time … more on endpoint security, specially looking at removable media.
No comments:
Post a Comment