The proliferation of laptop computers also compounds the potential for security breaches. Typically, a user's encryption key has been stored on the laptop (it would be pointless sending it up and down the network). Laptops are frequently stolen from cars - complete with highly sensitive data complete with the encryption key!
Outsourcing the non-core - outsourcing the secrets
There are compelling arguments for outsourcing non-core elements of the business, but this simply exacerbates the security exposure. To put a figure to the problem, an IDC report asking top company executives about outsourcing, reveals that 87% believe that security was the dominant issue. In more than 50% of instances where companies pull back from the outsourcing decision, it is simply because of the security exposure. Stated simply: whoever has administrative access to the infrastructure, has access to the data content. In all currently available systems - everything from mainframe legacy systems to fileservers and client workstations - whoever has administrative rights to the operating systems, has access to the data content. Even using Microsoft's encrypted file system (EFS), if you are an administrator of the operating systems or Domain, you either have automatic access, or can get access, to the data content, encrypted or not.
Security in today's real world
I have painted a somewhat black picture. There are techniques available today that almost completely address the issues that I have described but, surprisingly, even data security professionals are frequently not au fait. There are simple solutions to securing data across extended networks, the internet and even physically vulnerable laptops, and there are ways of outsourcing functions whilst retaining an iron control over access to the data (even from within the It department). And the good news is that it is even possible to ratchet up security whilst making life easier for end users.
The secret is for the board not to abrogate responsibility on the grounds that IT security is a complex, technical problem. They really need to invest the time into understanding the issues and being able to assess for themselves whether the right security strategy is in place.
Armoursoft is a leading data security organisation, specialising in encription and data access solutions. Company web site: http://www.armoursoft.com
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.