Data Protection: Need, Right, And Time Should Be Extended To Mobile Devices Such As Laptops For Better Security.
In a Government Technology article, an argument is made that access to data should be granted on a need, right, and time basis. Now, this is not a new argument, and it was directed to securing databases and their contents.
The argument is that not everyone needs to have access to information on a database or databases. Obviously, depending on one’s seniority and ranking within an organization as well as type of job one holds, the type of information that one should have access to will differ; the higher in the hierarchy, the more information one needs to access. Along with the need, the right to access information is to be considered as well. In fact, some would argue that the need and the right to access information are intertwined, and are not to be considered on a separate basis.
The third criterion, time, is meant to curtail access to the data as necessary. If an employee always works from nine to five, there is no reason why he should be able to access the data outside of these hours. One added benefit of curtailing access based on hours is that, if an employee’s username password are compromised by an outsider, the potential perpetrator won’t be able to access the data outside of business hours. This is, apparently, an important point because most hackers will work outside of regular work hours.
As stated before, the article was going into securing databases. Most probably, such databases are physically secure as well, behind locked doors or in cages with card keys or biometric identifiers. You can’t be too careful in this day and age. So how does this relate to laptops? While it makes no sense to have a laptop secure behind a cage, the use of need, right, and time can be used for better securing your mobile devices’ data.
It’s not a secret laptops today contain in them a lot more data than they should; some type of encryption technology should be used, just in case. It’s also a fact of life that laptops need maintenance just like any other types of electronics and machinery. If there are upgrades to be made to software or hardware, chances are that the end user will not be in charge of installing these upgrades, especially in a corporate setting. Or maybe the device won’t boot up, so troubleshooting will be involved. Generally, the IT department is in charge of performing such routine maintenance and troubleshooting (and salvaging) work. Depending on who’s doing what, their needs and rights to the same computer might be different.
The IT staff will need access to most ports, for example, as well as the ability to install updates and patches to computers, meaning that they will need access to downloading software and installing them. On the other hand, this is not a right you want to give to your end-users. After all, many security breaches occur due to unauthorized software being installed in computers. Pfizer and Citigroup, among a dozen other companies, had data breaches directly related to the installation of peer-to-peer file sharing software, probably a violation of each company’s software policies. So, laptops also require that access be determined based on needs and rights of each user.
How would the time aspect come into play? Well, many companies are supplanting regular desktop machines with laptops. Regardless of company policy, workers who’ve spent too much time at the office might be tempted to take these mobile devices home, to work in the comfort and relatively stress-free environment that is their domicile. Hopefully, the company’s IT department instituted a policy and encrypted laptops issued to workers in the workplace. This way, the contents are protected if the laptop is stolen on the way home (the assumption must be made that people will bend or break the rules if they think they won’t be caught). However, a better way to approach this, for certain employees, is to ensure that the employee does not take the device home. What could be a more effective way of dissuading them from doing so than locking them out of machine? If they can’t access the computer outside of work hours, what’s the point—it just becomes a really expensive doorstop that has to be babied. Better leave it at the office.
At this point, many working in corporate IT environment would probably shake their heads and say to themselves, “too complicated. A nightmare to support.” Well, it needn’t be. AlertBoot allows you to easily manage group profiles in terms of what they have access to, and allows one to easily specify who belongs to which group. This way, if somebody gets promoted (or demoted) the administrator can easily change his rights to accessing a device. This ease of management is on top of a very streamlined procedure for encrypting multiple computers, as well as an easy way of controlling which applications and devices employees have access to (via whitelists or blacklists).