Don't blame the laptop for data theft

Headlines across several business news services this week read something like "Laptops prove weak point in computer security" that's not an actual headline, because I don't like getting flame e-mail from attorneys, but it's similar to several.

The articles were prompted by Fidelity's announcement that it suffered a single laptop theft, and in that misfortune exposed 200,000 customer records to the prying eyes of identity thieves, or whomever. But laptops are only a security threat if you allow them to be. There are a number of ways to mitigate laptop security problems, and most are dependent on what kind of business you're handling. When you've identified who should access sensitive information, where, and when, you can start putting policies in place to enforce that.

The limits are bound only by your workaround imagination. How about grabbing every MAC address associated with every laptop your company owns? These could then be barred from storing certain kinds of data -- such as, say, any records from the database handling credit card numbers. In fact, maybe only those MACs associated with desktops are even allowed to see that store.

Is all this part of Windows 2003? Not quite. The policy-based stuff you can manage; but drilling down to MAC-level access may require a workaround using a higher-level desktop management tool such as the ones from Altiris. Keeping data secure to desktops might require shutting down certain hardware functions, such as USB ports, so data can't get transferred via thumb drives -- and that might require third-party solutions such as FullArmor IntelliPolicy.

This is quite a bit of work, and if security really is this much of a concern to you, then a full-scale desktop redesign might be another way to go. There are turnkey desktop systems available with this kind of management built in. My favorite has always been ClearCube's blade workstation system.

These are blade-based PCs that use existing Cat5 cabling to channel KVM traffic and basically move the rest of the network into the data centre. Users get KVM equipment plugged in to a small desktop box, called a C-Port, that also has a couple of built-in USB ports. You can disable these or simply configure them to recognize only certain peripherals such as printers but not storage volumes.

Sure it's a bit more work and the folks upstairs may not like it; the day that laptop gets left in a taxi, they'll undoubtedly be in a much better mood.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Altiris AustraliaC-PortKVMMacsVIA

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Oliver Rist

Latest Videos

More videos

Blog Posts