Headlines across several business news services recently read something like "Laptops Prove Weak Point in Computer Security". No, that's not an actual headline, because I don't like getting flame e-mail from attorneys, but it's similar to several.
The articles were prompted by Fidelity's announcement that it suffered a single laptop theft, and in that misfortune exposed yet another 200,000 customer records from its retirement account division to the prying eyes of identity thieves, or whomever. And this "proves" that laptops are the security threat.
See, I don't agree with that. Laptops are only a security threat if you allow them to be. Put your thinking cap on, and put together a plan that would negate - or at least mitigate - laptop-security holes. Now put it into one of those colored manila folders and have one of those gentle, slow-talking explanatory meetings with the folks upstairs. They'll give you that condescending, we're-not-doing-this look, whereupon you smile (gently now) and walk out.
Weeks, months, years later, some yahoo employee exposes a couple hundred-thousand credit card numbers to organised crime bosses in Moscow by leaving his laptop plugged in at Starbucks while he visits the john. Lawyers call. Auditors call. The folks upstairs rush downstairs a-hootin' and a-hollerin' and looking to leave with your butt in a briefcase; now you smile (gently now) and slide that same manila folder across your desk.
What's the plan in that folder? Actually, there's any number of ways to mitigate laptop-security problems, and most are dependent on what kind of business you're handling. Loads of sensitive consumer data? You can start by asking why this is on a laptop on the first place. No real reason, unless some yutz wanted to run a couple of hundred thousand credit checks from home.
When you've identified who should access sensitive information, where, and when, you can start putting policies in place to enforce that. The limits are bound only by your workaround imagination. How about grabbing every MAC address associated with every laptop your company owns? These could then be barred from storing certain kinds of data - such as, say, any records from the database handling credit card numbers. In fact, maybe only those MACs associated with desktops are even allowed to see that store.
Is all this part of Windows 2003? Not quite. The policy-based stuff you can manage; but drilling down to MAC-level access may require a workaround using a higher-level desktop management tool such as the ones from Altiris. Keeping data secure to desktops might require shutting down certain hardware functions, such as USB ports, so data can't get transferred via thumb drives - and that might require third-party solutions such as FullArmor IntelliPolicy.
This is quite a bit of work, and if security really is this much of a concern to you, then a full-scale desktop redesign might be another way to go. There are turnkey desktop systems available with this kind of management built in. My favorite has always been ClearCube's blade workstation system.
These are blade-based PCs that use existing Cat5 cabling to channel KVM traffic and basically move the rest of the network into the datacenter. Users get KVM equipment plugged in to a small desktop box, called a C-Port, that also has a couple of built-in USB ports. You can disable these or simply configure them to recognise only certain peripherals such as printers but not storage volumes.
ClearCube recently let me talk to a customer, InterFix, which is using the company's solution to do medical transcriptions in Trinidad and Tobago. InterFix employs low-cost data entry personnel there to do fast-turnaround transcriptions, and using a secure ClearCube setup, the company handles data entry, data communications back to InterFix's HQ in Atlanta, and even data fail-over. And all that's under the careful eye of HIPAA (the US medical privacy rule).
Data-entry personnel can't accidentally expose data because they can't move it off InterFix's network. They can't steal data because often the data entry operator isn't even local to the ClearCube blade; the actual data is hundreds of miles away.
Sure, it's more expensive. The blades are more expensive, the racks cost money, and there's the added need for power and cooling. But those savings are mitigated by a reduction in the need for desktop management personnel. (InterFix, for instance, is managing several hundred users with only two IT workers.) And, of course, there's a drastic reduction in the risk of accidental data exposure.