Designing security for the masses.
I make mistakes.
Nø realli, I do. My latest one was, as usual, spending too much time on an expedient deployment and not enough time actually designing it to be both thorough and as easy as possible for the user.
Let’s take, for example, The Laptop Problem. We all know what that one is about (especially if you’re a veteran and got one of Those Letters in the mail). Everyone is saying that the solution to that is encryption.
Okay, walk me through this. What kind of encryption are we talking about?
Full-disk encryption? With access controlled by another password? You know exactly what will happen if you try to deploy that to the common user. Either the user will just write down that password right next to his Windows password for the laptop, or he’ll ask you to tie the two together in a typical “single sign-on” accommodation. So you’re just back down to one password between you and the data on the laptop. If users can’t even get their laptop to operate without decrypting the disk, they’ll take whatever shortcuts they can to get up and running as quickly as possible.
Volume encryption? You still have the password problem. You also have to teach the user how to mount the volume, keep all his files in there, and NOT delete them by dragging them to his trash. You have to make sure his Outlook PST files are in the volume too, and you have to stop the user from leaving copies of the files on his desktop. And if you’re deploying this to a user who already has his laptop, how do you make sure ALL his existing files get moved to the volume and sufficiently sanitize the places where they used to be? And if the user can use his laptop just fine without opening the volume, you know he’s going to slip into that habit.
Just to make things more interesting, bear in mind that there are plenty of cases where a department has a shared laptop. How do you make sure ALL the users can check out the laptop and use it securely without taping those passwords on the keyboard?
It’s all very well and good to say, “It’s okay if that laptop was stolen, because we have E*N*C*R*Y*P*T*I*O*N on it!” But the reality is, do you KNOW for sure that the user was actually using it? And where’s the password for the encryption utility being handled? Are you really, truly providing any more protection than with one Windows password?
Here’s what I would do:
1. Get the laptop back from the user. Back up all the user files.
2. Sanitize and re-install the laptop.
3. Create the encryption volume to take up most of the disk. Configure Outlook to put its files there, along with any other applications that might handle sensitive data (that means all the Office apps). Make “My Documents” point to the volume too. Restore the user files into that volume.
4. Put the volume encryption key on a USB fob. Tell the user to put it on the keyring with his car keys so that he’s not tempted just to leave the USB stick plugged in to the laptop all the time.
Alternatively, I’d try the same thing with full-disk encryption, as long as I could make sure that it wasn’t tied in to the Windows login.
What I’d really like to do is put the user’s SSN on the USB fob as well, so that he’d have the proper motivation to protect it—but my boss is a fuddy-duddy and won’t let me do it. Drat.
But this is the only way I can think of to set things up in such a way that if I get a stolen laptop report, I can say to my management, with a clear conscience, that we not only had encryption installed, but that we did everything we could to make sure the user was actually using it.
Then again, I could be wrong. It’s been known to happen.
