Headlines across several business news services this week read something like “Laptops Prove Weak Point in Computer Security”. No, that’s not an actual headline, because I don’t like getting flame e-mail from attorneys, but it’s similar to several.
The articles were prompted by Fidelity’s announcement that it suffered a single laptop theft, and in that misfortune exposed yet another 200,000 customer records from its retirement account division to the prying eyes of identity thieves, or whomever. And this "proves" that laptops are the security threat.
See, I don’t agree with that. Laptops are only a security threat if you allow them to be. Put your thinking cap on, and put together a plan that would negate -- or at least mitigate -- laptop-security holes. Now put it into one of those colored manila folders and have one of those gentle, slow-talking explanatory meetings with the folks upstairs. They’ll give you that condescending, we’re-not-doing-this look, whereupon you smile (gently now) and walk out.
Weeks, months, years later, some yahoo employee exposes a couple hundred-thousand credit card numbers to organized crime bosses in Moscow by leaving his laptop plugged in at Starbucks while he visits the john. Lawyers call. Auditors call. The folks upstairs rush downstairs a-hootin’ and a-hollerin' and looking to leave with your butt in a briefcase; now you smile (gently now) and slide that same manila folder across your desk.
What’s the plan in that folder? Actually, there’s any number of ways to mitigate laptop-security problems, and most are dependent on what kind of business you’re handling. Loads of sensitive consumer data? You can start by asking why this is on a laptop on the first place. No real reason, unless some yutz wanted to run a couple hundred-thousand credit checks from home.
When you’ve identified who should access sensitive information, where, and when, you can start putting policies in place to enforce that. The limits are bound only by your workaround imagination. How about grabbing every MAC address associated with every laptop your company owns? These could then be barred from storing certain kinds of data -- such as, say, any records from the database handling credit card numbers. In fact, maybe only those MACs associated with desktops are even allowed to see that store.
Is all this part of Windows 2003? Not quite. The policy-based stuff you can manage; but drilling down to MAC-level access may require a workaround using a higher-level desktop management tool such as the ones from Altiris. Keeping data secure to desktops might require shutting down certain hardware functions, such as USB ports, so data can’t get transferred via thumb drives -- and that might require third-party solutions such as FullArmor IntelliPolicy.
This is quite a bit of work, and if security really is this much of a concern to you, then a full-scale desktop redesign might be another way to go. There are turnkey desktop systems available with this kind of management built in. My favorite has always been ClearCube’s blade workstation system.