[dundee] Securing data on devices you don’t own

Robert Ladyman it at file-away.co.uk
Fri Sep 10 08:41:46 UTC 2010 

> On 8 September 2010 16:46, Robert Ladyman <it at file-away.co.uk> wrote:
> > Slightly off-topic, but I thought approaches interesting
> >
> > http://www.computerweekly.com/Articles/2010/09/08/242661/Own-nothing-cont
> >rol- everything-five-patterns-for-securing-data-on-devices-you-dont.htm
> 
> Sounds like enterprise snake-oil to me, that merely makes it a little
> inconvenient to spread information, rather than offering any real
> security.  Now sure in practice that may be enough... but lets be
> clear, at best all these techniques are mere obfuscation, not
> security... here are some issues:
> 

Note that I'm not connected with this company in any way, in case people think 
I'm biased: the article has interesting issues for corporate data-control in 
general (ignoring their "New Network Architecture" - what they are doing is 
just border-less networking, really) and for considering when drawing up a 
User Requirements Specification for a new system. 

And anyhow, I like a good discussion.

> "The advantage of thin client is that data never leaves the server -
> it is only rendered on the endpoint."
> 
> Rendering on a thin client *is* data leaving the server...  Also if
> you don't own a thin client, how do you know it's really thin, and not
> just copying all the data it views?

That depends how thin your client is - think dumb old serial terminal: also, 
rendering the data is not necessarily the same, nor as useful as, the data - 
try searching for text in a rendered PDF file, for instance (you cannot, it's 
a bit-image). If you are streaming an image of the O/S to a distant device 
(e.g. via VNC) and there are no local facilities available, that is thin-
client-enough (you can never stop a screen-capture, but that is not the issue: 
you are wanting to protect information from being upon a possibly stolen 
device). Some data always leaves the server, but data is not necessarily 
information. 

> 
> "For insurance, thin devices can be remotely wiped - making them truly
> "disposable," unlike PCs. "
> 
> Again if you don't own the device, how can you trust that the device
> will actually wipe the data, rather than just say it did?

You make it a contractual / URS issue when you select the device(s) / permit 
it access to your systems. It's the first line of that section: "The thin 
device pattern constrains access by limiting the type of device used to access 
the data". In other words, although you do not own the device, you manage its 
access by ensuring that it is of a class that can be managed (although you 
cannot impose device-kill on a device that is not owned by the organisation, 
you can enforce encryption, etc.). The management of mobile devices (which is 
really what they are worried about here) is awkward but possible.

> 
> "Sensitive information sits inside a compartmentalised processing
> environment that is separated from the user's local operating system
> environment - essentially a "bubble" - whose security and backup
> properties are controlled by IT."
> 
> Again, how do IT control the 'bubble' when they don't control the
> processes surrounding it?

Again, this is about theft of the device rather than anything else: assume an 
encrypted storage area for a virtualised O/S, with password access to the O/S 
(with destruction via too many password attempts or failure to sign it / 
detection of a remote 'nuke' flag).  

> 
> The whole concept is just like DRM... everyone has to play ball for it
> to work, and it's easily compromised and inherently flawed anyway.
> 
Yes, it is entirely about digital restrictions, but in the proper sense - the 
restrictions are for the owner rather than the seller (it's like the reverse 
of the DRM for music). The user of the information is not the owner in this 
case, but an employee (or whatever) the owner is the business entity. 
There is a legal obligation for businesses to control information and access 
to that information: the UK ICO basically states that if you could have done 
something (e.g. encryption) but didn't, you are at fault.
Not everyone has to play ball at all: what you are wanting is to make a best 
effort, so that if the device falls into the wrong hands they are more likely 
to have only the value of the device, not the device plus your information and 
that you are compliant with regulations (even if it's just best-effort). 


> Personally I think having these systems is more dangerous than not, as
> it makes people think that truly sensitive data is safe when
> distributed over them... and it's not!  i.e. it gives people a false
> sense of security, which may cause them to make unsafe decisions with
> data.
> 
> 

I agree and disagree: having these systems is less dangerous for the entity 
(in terms of compliance, at least) than not having them. If implemented 
blindly with a 'just add water' mentality it will be dangerous: if considered 
in terms of the entire information-management policy they indicate options 
that can be considered and evaluated against any proposed solutions / packages 
/ new infrastructure. 


-- 
Robert Ladyman
File-Away Limited
3 Ralston Business Centre, Newtyle, Blairgowrie
Perthshire  PH12 8TL SCOTLAND
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
http://www.file-away.co.uk

============================================
Registered Office: 32 Church Street, Newtyle, Blairgowrie
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number SC222086

More information about the dundee mailing list