Monday, June 19, 2006

Laptop encryption? I have a better idea.

I just read an AP article from last week, entitled Encryption can save data in laptop lapses. We hear about this problem in the news all the time now: someone loses a laptop with personally identifiable information about thousands of {customers|taxpayers|veterans|others}.

This is a real problem, make no mistake, but articles like this one are starting to piss me off. Instead of talking about encryption, let me propose a much more revolutionary idea: don't put the freakin' data on the laptop in the first place!

Laptops are designed to be mobile, and are easily lost, stolen or broken. Good encryption practices are rare (hint: it's not just a matter of software, but also of implementation, policy and user acceptance). Instead of worrying about who's laptop is going to be stolen next, let's try to address the real issue: does that data really need to be stored on the laptop in the first place?

If mobile users need access to data in the field, make them VPN back to the corporate network and work on it there. And don't tell me things like, "But we need to work on the plane" because you don't. You may want to work at 26,000 feet (it's better than watching Firewall on the tiny screen), but my privacy rights outweigh your productivity crisis anytime.

Let me end this rant by saying that if your company insists on placing your customers' personal information on laptops or other mobile devices, encrypted or not, I hope they hammer you in court.

Update 2006-06-09: Finally, some mainstream coverage for this apparently radical idea! In a story entitled Why Do Laptops Schlep Such Data?, the unnamed AP author raises the question about whether carrying such data around on mobile devices is appropriate. Short answer: "No, but some people will inevitably find a way to do it anyway." No doubt this is true, and that's why routine encryption of mobile data remains important. Just don't be confused about the proper use of mobile encryption: It's not the first line of defense, it's the last. It ideally only comes into play once someone has violated corporate policy by copying data onto the device.

Unfortunately, the article does miss (badly!) on an important point. The second-to-last paragraph describes software that "shreds" data on the hard drive if the laptop is stolen. The idea behind this type of so-called protection is absurd. The laptop's OS and security software has to be running in order for this to be effective, but any competent computer thief can swap out a hard drive and copy the data with only a few moments' work.


Michael Farnum said...

Mr. Bianco,

I must ask that you clarify who you are speaking to in the last paragraph of your post. I can somewhat gather from the next to last paragraph that you may be speaking towards execs, owner types, sales guys, etc. (and possibly lazy "security" guys who don't bother with due diligence), but you also speak directly to the security pro in the first sentence of that paragraph by saying "If mobile users need access to data in the field, make them VPN back to the corporate network and work on it there."

I am seeing no thought or exception for those security pros who work for cheap or brainless execs / owners who see no reason for the measures of which you are speaking. If you are referring to all security pros, including those who have fought the battle but have lost, then you are really beating up on the wrong people. Yes, those security pros can leave that brainless company, but that is not always an immediate consideration. Many companies bring in security guys to make themselves look like they are serious about security, then they don't give them any resources with which to do their job. There are those of us who fight this day in and day out and cannot make a dent. Sorry if I sound like I am whining, but the truth is the truth.

I do enjoy your blog. Thanks for doing it.

David Bianco said...
This comment has been removed by a blog administrator.
David Bianco said...

Hi, Michael. Thanks for taking the time to leave such a well-written comment. Your point is well taken, that my antecedent is a little confusing in the last phrase. I was referring to the company, not to any individual. There probably *are* cases where individuals should be held personally accountable (whoever gave the VA laptop guy permission to take the data offsite might be a good candidate), but I assume that my readers have a clue, and thus wouldn't be the ones on the hotseat.

As for your other point, it certainly is true that clueless organizations sometimes employ great security admins, only to ignore their advice. We've all been there, or at least seen it firsthand. In that case, getting sued might be the best thing for the company's security program. If that's what it takes to get them to care about security, then so be it. I just hope the clueful security pro has a record of all of his ignored memos.