Encryption could address threat to data security of
consumer storage products, says Alan Lawson
Information is an essential component of every daily business
activity, and access to this information is key if employees are to
be productive.
Equally important is access to fellow employees in a
collaborative framework, generating information for the
organisation's benefit - new products or strategies are commonly
encountered reasons for such collaboration. Connecting employees,
to each other as well as to the information they require, is a
natural priority for all organisations.
The costs to the organisation of enabling connectivity will
often run into thousands for SMEs, and into millions for larger
enterprises. Deployments are accordingly carried out at a high
level, with the needs of the many taking priority over the specific
requirements of the few - the result being that some employees may
find their systems inadequate under certain circumstances.
Given the cost of deploying enterprise connectivity products,
such as wireless networks, the assumption might be that employees
would simply have to put up with the situation - after all, they
can hardly invest in systems of their own to boost their
productivity and/or make their working lives easier. Not so.
Two factors seriously undermine this assumption. The first is
that many individuals outside the IT department possess enough IT
knowledge to interact with whatever systems are in place within the
organisation, above and beyond the basics of using the interfaces
that are provided.
Such individuals may have considerable expertise, or simply know
just enough to get themselves (and the organisation) into serious
trouble. But surely, without access to dedicated hardware, there
will be limits to the damage they can inadvertently cause? You
would think this should end the debate, because enterprise systems
are far beyond the reach of the average employee.
However, a second factor to consider is that the manufacture of
powerful and effective communications technologies has become
consumer-led, something enterprise security and management
strategies do not always take into account. Combine the widespread
availability of these sophisticated devices with the (hopefully)
well-meaning intentions of employees and there is a potential
recipe for disaster.
If wireless access points are not properly secured in accordance
with the organisation's policy, then they provide an open door for
misuse. This becomes a problem because it is as easy for employees
to create their own wireless access at a fairly low cost in the
office as it is for them to run off multiple copies of original
content at home. Routers and wireless cards are available over the
counter in every high street, enabling employees with even minimal
technical knowhow to establish and maintain small wireless networks
for their own convenience.
Cost is no longer a serious barrier, due to the steady reduction
in high street prices, and apart from being convenient, the
personal network might also carry a perceived benefit of being
"cool". It is now easy to walk into any high street electrical
retailer and buy a simple wireless networking kit for £100. Unless
hardware in the organisation is locked down as part of the policy,
such a device could be plugged into numerous access points, quite
unnoticed.
Mobile devices, especially smartphones, are excellent examples
of why consumer-led technologies now affect management and security
issues. These devices possess steadily increasing amounts of
storage space, through the use of onboard memory and various
plug-in storage media, making it simple to carry around large
amounts of data in multiple formats.
There is a perception that the mobile phone platforms are being
increasingly targeted by virus writers, making data stored on such
devices even more vulnerable. Although an individual's smartphone
might be put out of action by a virus, the infection will not
spread to impact the organisation to any great degree.
The biggest threat from the smartphone lies in its size -
physical and virtual. Physically, most smartphones are still a
little larger than mobile phones, usually due to the need for a
decent-sized screen - but they are usually smaller than PDAs, and
prey to loss or theft. The virtual size, the data storage
availability, then becomes crucial - how much sensitive data has
the employee placed onboard, and how is it protected?
Similar data-centric arguments apply to USB devices, such as
iPods. The convenience of carrying around data has to be weighed
against the risk should that same data be accessed on the move by
an unauthorised user, or even lost outright. Many
security-conscious organisations have taken a simple and direct
response to this issue - by blocking the use of such devices
entirely.
A simple complementary solution is to require that data should
be encrypted, and can only be decrypted on authorised, properly
secured resources. Some of the recent scares over data misuse and
theft in the US would have been avoided completely if this point
had been addressed.
The issue is primarily one of detection, identifying either
areas or even individuals that present the greatest likelihood of
non-conformance to an organisation's set network usage policies.
Detection is a major element in managing the risks posed by
consumer electronics in the workplace; it is essential if maverick
activity is to be found and dealt with. Some potential problems
will be easier to unearth than others. For example, scanning for
wireless networks will be considerably less difficult than checking
devices such as phones or music players for unauthorised data.
Defining the scope of any existing problems can support educational
efforts to stamp them out at source - with the employees
themselves.
If further remedial action is necessary, restrictions can be
placed at appropriate points. For example, locking down/disabling
USB points is an appropriate form of access control, and cuts many
consumer devices out of the loop entirely.
It is worth concluding with a reminder that the maverick users
we may need to control are not necessarily acting maliciously at
all - these are individuals trying to boost their productivity
and/or make their working lives a little easier, and the odds are
that they believe they are showing initiative rather than
undermining organisational policy.
These are individuals who should be encouraged to conform to
security policy through improved understanding, rather than
renegades that ought to be isolated and punished.
The organisation might well have its share of the latter - but
we would hope that there is no need to presume the worst from the
outset.
Alan Lawson is a research analyst at Butler Group