BB |
Regular |
|
|
Joined: Jun 23, 2004 |
Posts: 340 |
|
|
|
|
|
|
|
|
OK, so your company is putting themselves in a tough position by carrying sensitive information in the laptops to begin with. And users are bringing those laptops around the country and to the workout club. Your company data is at risk.
You might want to look at the solution from a couple of different angles.
1.) Do you have to replicate the information onto the laptop? Do the users work in areas where there is no internet access? If you could always guarantee internet access for the auditors, you could tunnel through the internet with a VPN (Virtual Private Network) which is extremely secure.
2.) If the information positively absolutely has to be stored on a laptop, then, you are counting on the individual user to be accountable for the security.
a.) The secure information could be stored on a separate USB hard drive that remains on a user's keychain or some such.
b.) Encryption software could be purchased that makes a virtual hard disk drive on the laptop to which data could be stored. Truecrypt is a freeware alternative.
c.) A combination of a and b where an encrypted partition is stored on a USB drive.
d.) A combination of a and b where an encrypted partition is stored on the laptop, but a USB key/dongle is required for access.
e.) IBM and Toshiba sell latptops that use fingerprint reader driven encryption.
This article from MIT Information Service & Technology pretty much boils down what security is all about.
Quote: | Volume 20
No. 2 November/December 2004
Security Principles: Identity, Authentication, AuthorizationChristopher Logan
Most of us use some form of authentication daily – for example, when we get money from an ATM machine, log into email, or access the gym with a photo ID. In a world full of passwords and “prox� cards, it’s useful to get a handle on the key principles on which security is based. Identity, authentication, and authorization are closely linked.
Identity distinguishes who someone is or what something is. Identity can refer to a person, program, computer, or data. Identification is the process of establishing who someone or something claims to be.
Authentication is the process of confirming a claimed identity. For exam- ple, motorists identify themselves to police by presenting a driver’s license. Police compare the photo and description on the driver’s license with the motorist to authenticate identity. All forms of authentication are based on something you know, something you have, or something you are.
• Something you know is some form of information that you can recognize and keep to yourself. This could be a personal identification number (PIN) for your bank account or a password. Within the information technology realm, a password is the most common form of authentication.
• Something you have is a physical item you possess. This could be an item like a photo ID or a security token. A security token is a small hardware device such as a proximity or magnetic strip card you carry to authorize access to a service or building.
• Something you are is a human characteristic considered to be unique, like fingerprints, voice tones, and retinal patterns. These are also referred to as biometrics.
Once identity has been confirmed, authorization may come into play. Authorization is the act of granting permission for someone or something to conduct an act. Even when identity and authentication have indicated who someone is, authorization may be needed to establish what he or she is allowed to do. |
TrueCrypt
Check out the beginner's tutorial user-guide on the (freeware open source) TrueCrypt site. It walks you through setting up an encrypted drive letter, which can be either a drive or a file stored on an existing drive. Hopefully the data that you are storing is something that is always replicated from a primary source. Because if someone forgets their password, that encrypted partition is locked forever. You would create your application to read from the encrypted partition drive letter. Obviously you are introducing an additional step to have the user log in to the encryption software to enable access to the partition.
http://www.truecrypt.org/
If a CIA type with a farm of NSA computers applied themselves diligently to the task of breaking the encryption, knowing it was a truecrypt partition, they could attempt a program to guess the password. However, it could be weeks/months to break the key. I would guess that the information stored (SSN/Financial Data) could actually be obtained somewhere else more cheaply. The TrueCrypt software is actually useful for carrying low level national secrets.
The most common security breaches are internal. So if you are going to attempt to secure data, and you are not running background checks on your employees, you are wasting your time. Your employees may be making a few bucks selling internal information on the side. |
|