NETWORK SECURITY TACTICS
Telecommuting security: Protecting sensitive data inside and out
Joel Dubin
08.07.2006
Rating: -4.50- (out of 5)
|
The automatic reaction to the Department of Veteran's Affairs' (VA) laptop theft is to ban telecommuting altogether. Why let employees use laptops on the road or work from home and risk their machines being compromised and sensitive company data getting lost? Why risk bad publicity, or damaging and costly litigation? While seemingly the ideal solution, for most companies and their road warriors, it simply isn't an option. There are ways that telecommuting and working remotely, even with highly confidential customer information, can be done reasonably safely and securely. Let's examine what went wrong in the VA situation, and review some dos and don'ts for telecommuting.
The VA data theft
The VA data theft was largely due to lack of common sense. Unfortunately, when it comes to securing data, common sense often loses out in many companies. Additionally, the employee whose equipment was stolen violated every rule of information security hygiene, but that's beside the point. The data was still lost, policies were either non-existent or ignored, and there probably weren't any best practices.
First, the VA employee took home a lot of sensitive data -- about 26.5 million users' worth -- on a personal laptop and an external hard drive, which means the data was in a format that could be easily taken right out the door. And, there probably wasn't a procedure for signing out electronic data, as there might be, say, for a file from a file room. Whoever was responsible for data at the VA, didn't properly delegate a custodian to manage and account for it. And if there was such a procedure, the employee ignored it.
Next, the data wasn't encrypted. It was in clear text, easily read by anyone who possessed -- or stole -- it.
The following are the three big rules for handling customer data that the VA
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
violated:
1. Have policies and procedures for accounting for any electronic media holding data. Data owners should delegate handling of their data to a custodian in charge of controlling access, keeping logs and records of all employees who use the data with time stamps of when they're accessing it. The custodian needs to ensure that all data taken outside a facility is checked out, signed out and accounted for. Policies for non-compliance should be clear and strict with disciplinary action, including termination, in serious cases.
2. Encrypt any sensitive data, like customer information, that is taken off the premises on any type of storage device or media.
3. Never store sensitive data on laptops. If there's an unavoidable business reason for transporting sensitive data on a laptop, it should be hardened and secured, and have an encryption tool like SafeBoot.
Secure telecommuting
It might seem that the best approach for telecommuters with sensitive data is to protect their laptops or remote desktops, but the best practice is in fact the opposite. Keep the data off the laptop, in the data center, hermetically sealed and safely behind your corporate firewalls. Allow remote access, but only by VPN, and always keep the data from being stored on the client. Here are the steps to do just that:
These simple steps are mostly common sense. By using your existing network resources, you can keep your business humming and your telecommuters working while safeguarding your data.
About the author
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security available from Amazon.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
