Fear is a word that is rarely used in IT. It suggests
uncontrolled emotions, and activities far from the rational
risk-analysis processes that most enterprises aspire to
conduct. Nevertheless, fear can be useful, as it can force you to
focus on a problem.
It is with a certain level of fear that many companies face the
demands of legislation regarding
handling data and the prospect of losing sensitive data.
At law firm Turcan Connell, it is Peter Quinn's biggest fear
that confidential data pertaining to its clients will get into the
hands of the press or will be used against the business. As with
most businesses handling sensitive data, the firm's reputation is
key to its success.
As head of IT infrastructure, Quinn is responsible for IT
security. The law firm holds clients' private information on all of
the 70
Orange SPV pocket PCs the lawyers use when working remotely,
and ensuring that sensitive data held on the devices remains secure
in the event of theft, loss or compromise presents Quinn with a
major challenge.
Quinn says that allowing lawyers to work remotely with devices
containing this sensitive information is problematic. "We are
dealing with a number of clients through various confidential
issues, legal work and asset management. Even personal contact
information is a difficult area to control," he says.
Quinn realises that loss of reputation is only one adverse
effect of losing sensitive data. There is a growing worldwide
collection of laws, standards and protocols that dictate how
information can be processed, transferred and stored.
From the well-known
Sarbanes-Oxley regulating US-listed companies, to the UK's
Data Protection Act and the less understood Cold War
Wassenaar arrangement
potentially forbidding encrypted data exports to Hong Kong,
companies storing sensitive data face a crowded legal
landscape.
Many regulations require not only adherence, but provable
compliance, says Andy Kellett, senior analyst at analyst firm
Butler Group. "You have to control the people who have access to
your sensitive information. If you fail to do so properly,
compliance will be what kicks in and gets you into trouble," he
says.
It is relatively straightforward to comply to controls when
certain data is held behind the enterprise fortress walls, but
securing against
mobile devices and remote working presents a more difficult
challenge.
Memory sticks, e-mail attachments, instant messages and web
portals can siphon data away from central servers before you know
who is logged on. For this reason, organisations limit
functionality of mobile devices to a finite set of well-understood
features, with quantifiable risk profiles.
Johnnie Walker is the IT user support manager at financial
services organisation Cofunds. Before rolling out Blackberry
handheld devices, the company conducted a 12-week comprehensive
pilot study.
"We have a security team that runs a risk audit first, and we
have to meet their risks with controls. We had to ensure we were
properly secure, that nobody could infiltrate the Blackberry, get
onto the device, take any data from it, intercept it over the
airways, penetrate our firewalls, or get to the server itself,"
says Walker.
The pilot study helped Walker to strike a balance between
maximum flexibility and minimum risk when using the devices. Walker
says the process helped him decide the user functionality that
could be added or removed based upon risk analysis and
evidence.
"No data is kept on the Blackberry, it is all on the back-end,
on Exchange. You have got all your encryption using
Advanced Encryption Standard and Triple-Data Encryption
Standard on the device so that nothing can be intercepted
wirelessly. E-mails are stored encrypted, but there are no files
stored. If you send an attachment it can be retrieved from the
server but, once closed, it is not stored locally, you have to
retrieve it again," he says.
Choosing devices that cannot store data, but can only view it -
a thin client - is an effective way to secure data, says Jeremy
Green, principal analyst for enterprise mobility at analyst firm
Ovum.
"There is an important school of thought that says you should
not have anything on the device. All the important information
stays on the server and you just have a browser-based application
that lets you view it," he says.
Limiting the user's activities relieves many security issues. So
while devices are becoming increasingly powerful, security teams
are busy hobbling available features. Device manufacturers cater
for this with custom controls and downloaded policies that
determine how the device behaves.
Walker has limited Cofund's Blackberries via a downloadable
policy. "We do not allow access onto the network and you cannot
access the network drive. It was a risk under the risk assessment,
so the option was removed completely."
With a centrally-set secure password reset every 30 days and a
limit of five log-on-attempts, Walker is happy the security of
Cofund's devices is well within the limits set by the risk
assessment.
But many companies want the power of handheld devices to keep
staff productive while working remotely. Limiting device
functionality can limit advantages.
Lawyers at Turcan Connell need access to sensitive files while
travelling, at home and while disconnected from the company's
servers. There is no choice but to keep files on the handheld
device, says Quinn. Lawyers manage e-mails, personal contacts,
client data and a calendar. Client-related documents may also be
kept on the device.
"The ability to remotely wipe the device is crucial," says
Quinn. If the device is lost or stolen, a command can be issued to
delete the data. To help, Turcan Connell sourced software from
mobile device software supplier Synchronica. The software allows
Quinn to lock the device and wipe the data, along with another more
ostentatious feature.
"There is a nice facility to 'lock and scream'. When you switch
the device on it screams at you. A loud scream. If you remove the
battery it will stop, but as soon as you put the battery back in,
it will start screaming again.
"We had to do it on one occasion. We had one of our lawyer's
bags stolen from his car and it contained the device. When a device
is reported missing, we have a policy to immediately change that
user's account password," Quinn says.
"So even if the thief bypassed the security, the device would
not be able to synchronise back to the main Exchange server. We
changed the password and used Synchronica to wipe the device."
The "scream" feature relies on central control for activation,
however, a feature that is possibly more secure is what Green calls
the
"
dead man's handle". This idea is inspired by the railway safety
device that ensures a train stops if the driver falls asleep or
suffers a heart attack.
For mobile devices, if you do not enter your password
periodically, or if it cannot call home, it switches off, perhaps
deleting sensitive data.
"If the device is no longer connected to the network then after
a while it is going to shut itself off. Of course, that is rather
user unfriendly. Some of the things you want to do for the sake of
security contradict usability, and some of them contradict other
things that you want to do," says Green.
The difficulty for users adapting security features is something
both Quinn and Walker have had to address through user training,
seminars and enforcement.
Walker is certain his users would love free-roaming access to
the internet and access to all their network drives, but he says it
is simply not possible. "If we gave that sort of access we would
not have a tight control over security. It is necessary to protect
the integrity of the company. This is company equipment, after all.
This is the way we do things," says Walker.
Such constrictive policies can annoy users, and password
management can be a particular area of conflict.
"Putting on and using the security on your laptop is just one
more barrier to being able to work effectively. It is all very well
for IT people to put security barriers on devices, but if you are
trying to do work and each time you have to put in hordes of
passwords you will get round it as best you can," says Green.
He admits to changing his own Blackberry's automatic password
time out from two minutes - as set by his IT department - to two
hours. "I have made it less secure, but I have made it less secure
because I want to work, not because I am cruel or because I want to
make things less secure. I just want to do my job," he says.
Most enterprises still rely heavily on passwords as a security
measure. Newer identity and access management systems, which may
include multifactor authentication such as
biometrics and
smart cards, are seen as overbearing.
"One of the realistic arguments against fully-functioning
identity and access management systems is that they are too
complicated and too expensive to police and monitor and control.
There is too much going on," says Kellett.
"Those organisations who have done better out of using this type
of system have been the ones who have stepped back in the very
beginning and said, 'what are the key things that we are trying to
achieve here?' If you try and achieve everything in a big project,
dragging everybody in at the same time and linking in all the
access codes, you end up restricting the organisation itself."
Quinn tries to balance security and usability. He accepts that
the background fear of data compromise will always be with him, but
he is confident in his "robust security arrangements". He is now
considering new applications for further business advantages.
"We want to establish as many core systems on the mobiles as we
can. It is critical when you have a high volume of your workforce
that is actively mobile that they have access to the information
that they need to do their job," he says.
Fear of mobility should not constrict the users unduly or
prevent the enterprise advancing. As Quinn says, "The more you can
give the users, the greater the enhancement to the business."
Business data
protection: the expert view >>
New attacks
demand new defences >>
Set strict policies for mobile workers, says SurfControl
>>
Network access control learning guide >>
Turcan Connell
>>
Cofunds >>
Synchronica >>
Comment on this article:
computer.weekly@rbi.co.uk