I know that most CSO readers live in a world where Microsoft Windows runs on laptops, desktops and most of the servers. I live in a different world. On my desktop I run Windows because it has the best support for scanners, OCR and Quicken. But my servers run FreeBSD and Linux. My phone runs PalmOS. And my laptop runs Apple's MacOS - with Microsoft Windows occasionally running as a guest operating system inside in a virtual machine.
I am by no means a Macintosh bigot: I bought my first Mac in 1984 but sold it in 1985, regarding the machine as little more than a toy. I tried the Mac again for a few years in the 1990s but gave up because it crashed too much. I returned to Apple when Apple bought NeXT Computer and migrated to Unix - but only because I had written a book about NeXT and wanted to "port" it to MacOS.
In recent years, however, I've had a compelling reason to avoid Windows and use the Mac: security. Apple has taken its legendary attention to detail and usability and applied it to eliminating some of the most important security threats facing computer users today. The reason that I use an Apple laptop even though there are other models that are lighter and faster is because of the added security that MacOS offers to mobile users. It's easier to use and more secure than any solution I could buy or build using Windows or Unix without purchasing extra software and doing a lot of customization.
This column won't convince any CSO to throw away her organization's Windows-based computers and move to the Mac. But by analyzing some of the significant security features that Apple has added to its operating system in recent years, I'll aim to show you why I've decided to use MacOS on my laptop and give you a list of features that you should be demanding from your vendor, whoever that may be.
Passwords Versus Encryption
Laptops, USB memory sticks and external hard drives have become a security headache for many organizations. As a result of mandatory notification laws, a single stolen device can force your organization to send embarrassing and potentially costly disclosure letters to thousands or even millions of people. You may not even be aware that you're at risk: Employees or consultants may be taking large quantities of personal data out of your company on laptops without even telling you.
There are two fundamental ways of protecting information on a mobile device. The most common is to protect with a password or pass phrase. The computer stores this word or phrase along with your data. When a user wants to access the computer, the system prompts the user to type in another copy of the word or phrase. The computer then compares what was typed to what is stored. Access is granted if the two words or phrases match.
The second approach for protecting information also uses a password or phrase, but instead of simply comparing what's typed with what's stored, the computer uses what's typed as an encryption key. The data is encrypted when it is written to the computer's hard drive, and it's decrypted when it is read back. The advantage of this approach is that the protection still holds even if the computer's hard drive is removed and attached to another system. That's because the stored data must be mathematically decrypted before it can be used. The computer's operating system isn't simply making a go/no-go decision.
Practically every computer, PDA and cell phone that's sold these days uses the first approach - passwords without encryption - to protect the information it contains. Some specialty systems use fingerprints instead of passwords. But even with biometrics, the computer's operating system is still making that go/no-go decision, which means it can be overruled by booting from a CD-ROM or removing the storage from one computer and reading it with another.
MacOS is an exception to this rule. Apple's operating system uses encryption throughout to protect user data. What's more, the encryption is transparent: Once you turn it on, you hardly know it's there.
The first and most powerful protection system built into MacOS is Apple's FileVault encrypted file system. You can enable FileVault by clicking a button labelled "turn on FileVault" that is in the "security" section of the MacOS control panel. This causes MacOS to create a virtual disk using a random 128-bit AES encryption key; your files are then copied into the virtual disk and the plaintext versions are securely deleted (so they can't be recovered with forensic software). Finally, the 128-bit key is encrypted with the user's log-in password and stored in a special file.