Tuesday, April 19, 2011

One More Lost Laptop

Recently an employee of British Petroleum reported "one more lost laptop." In this case the laptop contained records on 13000 victims of BP's oil spill. One does not have to be an application genius to figure out how complete and sensitive those records are or how much work they encapsulated.

Let's consider the possibility that that copy of those records was the only copy. Without even considering any damage that might arise from the disclosure, the loss of those records could be catastrophic to the subjects.

A current search of the web shows that a typical business laptop comes with 250GB of secondary storage (or 128GB of solid state storage for $150- premium). We used to run whole enterprises on that much storage.

Moreover, for $100, one can buy 4 times that much storage to carry in one's shirt pocket; that's right, one terra-byte, $100-. The cost of storage is halving every twelve months. Parkinson's Law of Storage says that data expands to fill the storage available to hold it.

The processor power of these devices is 1000 times what it was a decade ago and increasing exponentially. While "experts" have been predicting the knee in the Moore's law curve for a generation, we continue to push it out.

I now have three old laptops stacked one on top of another that I use for application and storage servers. I have three TBs of storage in my living room network. Daily I operate this network from mobile devices, one, called an iPhone, that I carry in my pocket.

Even in the office there is now a preference for laptops over desktops. Outside there is movement to more, and more mobile, devices, laptops to notebooks to netbooks to tablets to "smart-phones." Note that the only reason we continue to refer to these mobile computers as "smart-phones" is because we buy them from the phone company.

This is only likely to get better or worse, depending on your point of view. The cost per cpu cycle and per bit of storage is likely to fall by a factor of four in 3 to five years. As the price falls the number of devices sold increases and the absolute number of applications grows and the number of applications per device increases. Even the cost of software is falling as the number of copies that can be sold increases.

Five years ago we could not have imagined the applications that we use today. No more so can we anticipate the applications of five years, our planning horizon from now.

Come on guys. The risk is not about laptops. It is about CD Roms. It is about thumb-drives. It is about GBs, and then TBs on one's fingernail. It is about users who have never used a computer they could not carry. It is about powerful computers in one's pocket. It is about what one can buy for a $100-. it is about new use, uses, and users on a barely imaginable scale. All of this involves, not to say invites, risk on an a scarcely imaginable scale.

Consider the bad things that can happen to mobile systems, applications, and data that is less likely to happen to others. First, while robust, these devices can be dropped, broken, or can suffer mechanical or electronic failure. They can be lost or left. They can be stolen, usually for the property value but sometimes for the contents.

Recently we learned that ICE, Immigration and Customs Enforcement, is examining and impounding mobile devices at the borders. Ostensibly this is to look for "contraband" data, specifically child pornography. The courts have consistently held that this kind of search is "reasonable" enforcement of the borders and does not violate the Fourth Amendment prohibition against "unreasonable searches and seizures." In the twenty months of the program, ICE has "examined" more than 6000 systems.

For most of us, and while it is a growing one for frequent business travelers, this risk is dwarfed by the other risks of mobile devices. Like those, it is one to which the same applications and data are not vulnerable when done on stationary systems. It is addressed by some, but not all, of the same security measures.

For example, while loss and leakage are addressed by encryption, ICE will simply demand the key. More over, encryption offers no protection against the far more likely threat of failure or breakage.

On the other hand, not taking data or applications addresses everything except property loss. I now carry a sterile MacBook Air when I travel. No enterprise, client, personally identifiable information, intellectual property, payment system, or other sensitive data.

* Consider the following policies and practices:
* Store sensitive data only on enterprise servers.
* Prefer remote access to enterprise servers to personal, local, or portable copies.
* Save new work on mobile devices to stationary servers
* Permit portable copies only with specific management approval.
* Any portable copies on devices with full-device encryption.
* Any portable copies in encrypted file systems or databases.
* Prefer mobile devices (e.g., Blackberrys, iPads, iPhones) with remote location and remote erasure capabilities.
* Prefer client-server object-oriented databases (e.g., Lotus Notes) with end-to-end encryption by default.

Keep in mind that these are risk mitigation, not risk elimination, policies. Leakage from mobile devices is a fact of life. We cannot solve the general problem but we can address it for ourselves and our enterprises. Note that they do not mitigate the risk of loss or breakage of property.

Of course, even justifying, much less implementing, these policies and practices will not be easy. That is why we are called professionals and are paid the big bucks.

No comments:

Post a Comment