[dundee] Securing data on devices you don’t own
Rick Moynihan
rick.moynihan at gmail.com
Thu Sep 9 22:45:54 UTC 2010
On 8 September 2010 16:46, Robert Ladyman <it at file-away.co.uk> wrote:
> Slightly off-topic, but I thought approaches interesting
>
> http://www.computerweekly.com/Articles/2010/09/08/242661/Own-nothing-control-
> everything-five-patterns-for-securing-data-on-devices-you-dont.htm
Sounds like enterprise snake-oil to me, that merely makes it a little
inconvenient to spread information, rather than offering any real
security. Now sure in practice that may be enough... but lets be
clear, at best all these techniques are mere obfuscation, not
security... here are some issues:
"The advantage of thin client is that data never leaves the server -
it is only rendered on the endpoint."
Rendering on a thin client *is* data leaving the server... Also if
you don't own a thin client, how do you know it's really thin, and not
just copying all the data it views?
"For insurance, thin devices can be remotely wiped - making them truly
"disposable," unlike PCs. "
Again if you don't own the device, how can you trust that the device
will actually wipe the data, rather than just say it did?
"Sensitive information sits inside a compartmentalised processing
environment that is separated from the user's local operating system
environment - essentially a "bubble" - whose security and backup
properties are controlled by IT."
Again, how do IT control the 'bubble' when they don't control the
processes surrounding it?
The whole concept is just like DRM... everyone has to play ball for it
to work, and it's easily compromised and inherently flawed anyway.
Personally I think having these systems is more dangerous than not, as
it makes people think that truly sensitive data is safe when
distributed over them... and it's not! i.e. it gives people a false
sense of security, which may cause them to make unsafe decisions with
data.
R.
More information about the dundee
mailing list