Unfortunately, the convenient and easy access you want to provide to your laptop users also provides the same convenience and accessibility to those with malicious intent. Also, a malicious user doesn't even have to hack into a laptop they just have to steal it. Once it's in their possession, they have access to any company information on the laptop, including sensitive customer and employee information, confidential company plans or a host of any other privileged information. A prospective laptop thief can also hang around an airport lounge or Starbucks, for example, and wait to steal an unattended laptop. Again, no hacking tools or fancy network tricks are required.
The other access control method you mention for your floating laptops -- a single user ID and password for all the laptops -- also creates opportunities for malicious access and use. While it may be a hassle to set up, each user -- not each laptop -- should have their own unique user ID and password for accessing their account on the laptop. Set up an access management system for this. Otherwise, from an information security perspective, you'll have a single point of failure. If one laptop is compromised, the thief can access any other laptop.
If for whatever reason, either business or technical, you want your users to have the local administrative rights, make sure you have disk and file encryption in place.
One popular enterprise tool is SafeBoot. It's available for many different types of mobile devices, not just laptops. If a laptop has SafeBoot, unless they have the right logon credentials, or user ID and password, all they'll get is an encrypted drive with useless scrambled data. PGP, another vendor, offers a similar product for disk encryption.
Also, before installing any encryption software, conduct a thorough risk analysis of the data that resides on the laptop, and ask yourself the following questions during this process:
- Who is using the laptop and why?
- What is the laptop being used for and what data is carried on it?
- Is the data sensitive customer data, or marketing presentations with publicly available information about the company? This will determine the risk level and whether disk encryption is even worth the cost.
- Can the laptop be used for accessing the corporate network from a remote location? If so, how much access is granted? Is it for accessing e-mail, or for going deeper into company file servers with sensitive information?
This was first published in May 2006