Develop a security strategy for mobile working

There have been numerous stories in the news recently involving the security — or more accurately, the lack thereof — of mobile computers. An employee's laptop is lost or stolen and thousands or even hundreds of thousands of the organisation's clients are at risk of identity theft because sensitive information, such as social security numbers or credit card numbers, was stored on the laptop. In addition to the obvious problems this causes for the clients, it doesn't do much for the reputation of the company.

This type of occurrence is on the rise because mobile computing is a fact of life in today's business world. We can't always wait until we get back to the office to get work done, and that work sometimes involves confidential information. When your business is small, you have fewer employees who go on the road with company computers or who take their work home. As the organisation grows, it becomes more and more difficult to keep up with who has what on which hard drive and where that data goes.

That's why it's important to develop security policies for mobile computer users from the beginning, and ensure that those policies can accommodate users' needs — without putting clients or the company at risk — as your business grows.

Zero tolerance policy
Some security experts advocate a complete ban on the practice of storing sensitive data on laptops. A recent AP article out of Boston quotes a Gartner analyst who takes this position. The idea is that mobile users can connect to servers that hold the data when they need to work with it. This would solve another problem besides security: eliminating the problem of multiple, inconsistent copies of files floating around. But is it really more secure?

Although a zero tolerance policy for data storage on laptops would make it less likely that laptop thieves would have access to the data, it could result in other security risks. Employees who have to connect to the office server to work with the data will probably have VPN connections configured and readily accessible, perhaps with their credentials for connecting to the office network saved for ease of use. That means a thief who's able to log onto the computer may be able to access, instead of just the data files the laptop owner was working with, everything on the office network that the user has permissions to access — at least, until the theft has been reported and the user's account restricted.

Under this policy, a user will typically be connected to the Internet, and to the company network through a VPN, when working with the sensitive data. He may still be vulnerable to attacks from the outside, including key logger or screen capture attacks that can send copies of what he's working on back to a hacker, so that he doesn't even have to lose physical possession of the laptop to have the information stolen.

But perhaps the biggest problem is that it just won't always be feasible. There may be times when it's necessary to transport sensitive files out of the office; for example, if an executive needs access to them while in a location with no Internet access or other way to connect back to the company network. So what can you do in those cases to prevent sensitive information from getting into the wrong hands?

Encryption, encryption, encryption
Everyone's heard that the most important factor in buying real estate is "location, location, location." When it comes to protecting the confidentiality of data, the mantra is "encryption, encryption, encryption". If you have users who must take sensitive files off-site, the question isn't "should they be encrypted?" but rather "how should they be encrypted?"

The simplest solution when using the Windows 2000/XP/Vista operating systems is the Encrypting File System (EFS) built into the OS. But there are drawbacks. EFS is designed to be transparent to the user, but that means…