23 September, 2011

Using Personal Devices to Access Work Resources - Virtual Desktops Are a Great Answer

For the almost OCD security-conscious tech-savvy (a.k.a. yours truly), using one's own devices makes sense, from a personal perspective. They incur no support onus, by the organization, if the individual agrees they are on their own with respect to such matters.

The downside, for the organizations, is their data is no longer within the domain of their control. This implies a level of trust, between the organization and the user. I've always felt that the users need to prove that trust, demonstrating their capabilities of securing and/or preserving their data, prior to being released into the wild. Unfortunately, such an establishment of trust requires resources, from the organization, related to training and perhaps occasional auditing. Many organizations simply choose to look the other way, and then disavow responsibility in the event of a breach.

The iPad is a prime example of a consumer device that fits poorly into the workplace security. If one configures their work email, the only security is the front-end slider lock, on the device itself. Few use that, and if used, it is easily beaten. Many users also use cute little notepad apps, storing their passwords, ripe for the picking if they run to the restroom, at Starbucks, and return to find their iPad gone.

While the consumerization of IT has a lot of great benefits, to both employee and organization, the security concerns cannot be understated. I am a proponent of virtual desktops, where one can login to a work desktop, where the the resources themselves -- files, secure sites, etc. -- exist only on the virtual dt, and the user simply has to securely log in to a window to access them. Those of us who have been around, for decades, have been using this philosophy since pcANYWHERE made this popular back in the early 1990's. It's nothing new...it's just a whole lot better now, with hosted Citrix servers and other various virtual machines.

It's been fun to watch the swing from old Burroughs terminals, to totally stand-alone PC's, to p-to-p networks, to Novell and Microsoft servers, to cloud storage...and back to the "slightly-more-than-dumb" terminal approach.

Control the data centrally. Allow access from everywhere.

And by trust, I am not talking about trust from a personal integrity perspective, but rather, from a competency perspective. Very few data breaches are due to intentional employee malice. Most are due to incompetence, of which inattention is a member of the subset. Brilliance and conscious awareness, in one arena, can often be "deer in the headlights" in other disciplines, and I was speaking solely of data security awareness. But, I acknowledge a colleague's point about hiring practices. Either it is time to introduce a filtering process, related to data security and archive management, at that point, or send them off to something like Records Management training., immediately after they are hired, and prior to them having any real access.

As for email, it is one thing to intercept email, in flight, an exercise that requires specific timing and know-how. It is another to simply walk off with essentially a pile of open documents, which someone's non-secure mailbox is.

As an Enigmail (GnuPG/PGP) user, I am aware of the non-secure nature of email. I do know that, no matter how conscientious one is at not SENDING sensitive information, those same people might not be so good at deleting INBOUND sensitive messages, thinking that perhaps they are not responsible if someone else gets access. They may be right, from a legal perspective, but from an ethical one {eek! He mentioned "ethics" in an IT conversation!}, we all take care, in our personal conversations, not to repeat personal items that friends tell us, at Starbucks, even though we know someone might have overheard said conversation. We usually do not cite that at "was spoken in the public domain, and thus I can tell whomever I like" as an excuse to gossip. I see no reason why this should be different in the text world.

No comments: