There have been numerous stories in the news recently involving the security--or more accurately, the lack thereof--of mobile computers. An employee's laptop is lost or stolen and thousands or even hundreds of thousands of the organization's clients are at risk of identity theft because sensitive information such as social security numbers or credit card numbers was stored on the laptop. In addition to the obvious problems this causes for the clients, it doesn’t do much for the reputation of the company.
This type of occurrence is on the rise because mobile computing is a fact of life in today’s business world. We can’t always wait until we get back to the office to get work done, and that work sometimes involves confidential information. When your business is small, you have fewer employees who go on the road with company computers or who take their work home. As the organization grows, it becomes more and more difficult to keep up with who has what on which hard drive and where that data goes.
That’s why it’s important to develop security policies for mobile computer users from the beginning, and ensure that those policies can accommodate users’ needs--without putting clients or the company at risk--as your business grows.
Zero tolerance policy?
Some security experts advocate a complete ban on the practice of storing sensitive data on laptops. A recent AP article out of Boston quotes a Gartner analyst who takes this position. The idea is that mobile users can connect to servers that hold the data when they need to work with it. This would actually solve another problem besides security: eliminating the problem of having multiple, inconsistent copies of files floating around. But is it really more secure?
Although zero tolerance for data storage on laptops policy would make it less likely that laptop thieves would have access to the data, it could also result in other security risks. Employees who have to connect to the office server in order to work with the data will probably have VPN connections configured and readily accessible, perhaps with their credentials for connecting to the office network saved for ease of use. That means a thief who’s able to log onto the computer may be able to access, instead of just the data files the laptop owner was working with, everything on the office network that the user has permissions to access--at least, until the theft has been reported and the user’s account restricted.
Under this policy, a user will typically be connected to the Internet, and to the company network through a VPN, when working with the sensitive data. He may still be vulnerable to attacks from the outside, including key logger or screen capture attacks that can send copies of what he’s working on back to a hacker, so that he doesn’t even have to lose physical possession of the laptop to have the information stolen.
But perhaps the biggest problem is that it just won’t always be feasible. There may be times when it’s necessary to transport sensitive files out of the office; for example, if an executive needs access to them while in a location with no Internet access or other way to connect back to the company network. So what can you do in those cases to prevent sensitive information from getting into the wrong hands?
Encryption, encryption, encryption
Everyone’s heard that the most important factor in buying real estate is "location, location, location." When it comes to protecting the confidentiality of data, the mantra is "encryption, encryption, encryption." If you have users who must take sensitive files off site, the question isn’t “should they be encrypted?” but rather “how should they be encrypted?”
The simplest solution when using the Windows 2000/XP/Vista operating systems is the Encrypting File System (EFS) built into the OS. But there are drawbacks. EFS is designed to be transparent to the user, but that means anyone who can log on with that user’s account can read the encrypted files. By default, EFS stores the private key on the hard disk, but you can export it, delete it from the hard disk and keep it on removable media that you carry separately from the computer for better security.
You can also add an extra layer of security by requiring two-factor authentication to log onto the computer. This means the user must not only provide credentials (which a thief might be able to crack) but must also provide a smart card, token or biometrics such as a fingerprint.
Another solution is to use a third-party encryption product that supports strong algorithms. There are many software programs that will encrypt either selected files or the whole disk. Many of these also support two-factor authentication. Some laptops support hardware-level encryption, and some of these come with built-in fingerprint or smart card readers.
Divide the goodies
Even if users aren't able to connect to the central server to access sensitive files, that doesn't mean those files have to be stored on the laptop itself. By storing the data files on a removable USB flash drive or a writable CD/DVD and keeping it separate from the laptop (not just out of the computer but in a different case) when it’s not being directly used, you reduce the chances of a thief getting it since he’s likely to just go for the computer case and not take your other luggage.
Redact that document
Another precaution you can take is to copy only partial records to the removable disk. Removing sensitive information from a document is called "redacting" and this can be done before an employee is allowed to take the document on the road.
Some databases will allow you to copy only selected fields, and workers don’t always need information such as social security numbers in order to do their tasks. In fact, there is software that can scramble or encode those numbers so that if a thief gets possession of the document, the most sensitive information can’t be read.
Other protective measures
If it’s absolutely necessary to store sensitive information on the laptop itself, in addition to encrypting the data you can install software that will "call home" and/or shut down if an unauthorized person tries to log on. Some programs will even go so far as to delete and overwrite all the data on the disk when this happens.
Along with technological solutions, don’t forget one of the most important preventative measures of all: educating employees about the importance of protecting their mobile computers and the data on them. Many thefts and losses occur because of carelessness.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.