Security and Collaboration Systems: Let's Not Forget the Simpler Actions

By Michael Sampson
in

There is no end to the investment you can make in securing your organization’s collaboration systems. In previous articles in this magazine, we have discussed collaboration system security from various perspectives: the risks in using hosted collaboration systems (2007), how to share documents in a secure way (2008), and most recently, a more general look at security considerations for collaboration systems (2009). But what happens if we make perfect investments in securing our collaboration systems, only to have end-users lose the devices they use to access those systems? With the proliferation of laptop- and smartphone-toting end-users, we have the makings of a disaster, if these devices are lost or compromised. What can we do to minimize these risks?

The Laptop

Back in 2008, the Ponemon Institute, a research think tank, claimed that 10,000 laptops are lost or stolen each week at 36 major airports across the United States. The number seems suspect based on the methodology outlined, but even if it’s 10x too many, that’s still a lot of laptops being lost or stolen each week! And that just reflects U.S. numbers. How can we mitigate against the risk of having your end-users lose their laptop?

The first action is to work on the security of the physical device. Give people laptops that are light and easy to carry around. If your people have heavy and unwieldy laptops that strain their backs and make lugging the thing around a chore, it’s time to check out some of the newer, lighter laptops. Perhaps having a heavy laptop is sufficient motivation for some staff to leave the thing behind by mistake! Another way to minimize the physical threat of loss within airports is to issue your staff with one of the newer checkpoint friendly laptop bags, that allow laptops to clear airport security without being taken out of the bag. The basic idea of a checkpoint friendly bag is that since a laptop has to be scanned by itself, with no interference from other items in the bag, newer laptop bags are specially constructed to allow the isolated scanning of the laptop while remaining in the bag. For example, the Mobile Edge ScanFast Checkpoint Friendly Briefcase splits in half via a zipper and then lies flat to be scanned. The laptop is in one compartment, and everything else is in the other compartment. Both compartments remain joined at all times, and when the owner picks up their laptop bag, they get everything in one go. Finally, make sure that laptops are labelled with the user’s name and phone number—so if the laptop is left behind by mistake, there is always the option for the finder to call the owner and offer to return it. If it’s not labelled and the computer is appropriately tied up with encryption and security settings, an honest person is not going to have the option of returning it.

The second action is to make a decision about data security, if the physical security of the device is compromised. The basic rule is that if someone is going to steal the laptop, at worst let them have the device, but never the data it contains. An easy first step is to make it a policy that all laptops boot up from sleep to a password screen. A second step is to encrypt the data on the laptop. Microsoft Windows Vista and Windows 7 can be purchased with integrated encryption support—you’ll need the Professional or Ultimate editions to locally encrpypt the disk. And Apple Mac OS X includes an encrypted drive option too. In both the Windows and Mac OS instances, the encryption option has to be set; it’s not a default setting. A third step is to sign up for one of the Internet-based laptop tracking services. In essence, the laptop “calls home” each time it is connected to the Internet, and if the laptop has been listed as lost or stolen, various actions can be taken to assist with recovery of the device. A final step is to have some way of remotely wiping the laptop if it is stolen, thus rendering it useless to the thief.

Some firms are taking a more radical approach to data security and laptop access. No data is ever stored on the laptop. It’s all on company servers or hosted services. If a laptop is lost, the only thing that has to happen is to re-issue a new laptop to the user, and enforce a change to all system or service passwords. The user isn’t put out, because all of their data remains uncompromised, and the firm isn’t put at risk because the laptop is clean. Actually, the user can use any machine available to access their systems and data, not just the company issued laptop, should the worst happen and it gets lost or stolen.

The Smartphone

Mobile device access to collaboration systems has been an interest here at Messaging News for a many years, and it’s just recently that there has been a leap in the availability of good quality applications to enable this. But with this flourishing of access options comes the problem of device loss—and these small form factor devices are easy to leave behind in a taxi or otherwise become misplaced. The Research In Motion BlackBerry is the current gold standard with respect to device data security, with enterprise manageability options in the BlackBerry Enterprise Server for the remote wiping of a BlackBerry device should it be lost or stolen. Although the thief gets the device, when it’s next turned on and connected to the network, all data on it is wiped. The Apple iPhone includes a power-on password option, along with the option to locally wipe all user data, if the password is entered incorrectly too many times. And with a subscription to MobileMe, the online Apple service, there is an option to track down your iPhone should it be misplaced.

Finally, no discussion of smartphone (and laptop) security is complete without calling out CREDANT Technologies, and its range of offerings for device and data security. If you are re-evaluating your organization’s approach to mobile device security, check out the Mobile Guardian Architecture from CREDANT. In addition to offering end-user beneficial capabilities for data encryption and device security, it includes centralized management abilities that are essential for IT organizations.

Easy Does It

So what’s the point of this discussion? That if you don’t get the basics right—your people knowing how to look after the equipment they are given—it really doesn’t matter what you spend on IT-oriented solutions to secure collaboration systems, or any system for that matter. With a bit of planning, and the use of some fairly simple capabilities, you can go a long way towards mitigating against the risk of losing a laptop or smartphone. Don’t dismiss the ideas just because they sound simple—they work!

Messaging News writer Michael Sampson advises organizations on improving the performance of distributed teams. He writes at http://www.michaelsampson.net and can be reached at michael [at] michaelsampson [dot] net

Published February 25, 2010