The consequences of a data breach can be far-reaching and complex, but in almost every case the cause is simple. An employee, the ‘average user’, has either taken a shortcut around the security procedures or lost a device with critical data in a public place, or both.
Randy Sutton of Ottawa’s Elytra Enterprises asks, “How many laptops got lost this week? How many have been stolen? We don’t hear a lot about it in Canada, particularly in the government, because nobody wants to report it and there’s no legislation forcing you to report.” Sutton keeps a list he calls ‘theft a day’ and it’s a rare day when he can’t add another breach somewhere in the world that’s made the news.
“People can spend all the money they like on perimeter security and all the big boxes and so forth,” Sutton says. “What’s left over is that somebody wanders off with a laptop or one of those little flash drives and loses it.”
His company is the point of contact for federal government buyers of a ‘made in Canada’ solution called SecureDoc from Mississauga, Ont.’s WinMagic that encrypts data automatically and invisibly, no matter where it is – on desktops, laptops and PDAs, on all the portable media like USB drives and sticks, as well as on DVDs and CDs.
“The basic idea is that if you lose the thing, your data is encrypted and nobody can get at it. It’s that simple.”
Another Canadian IT security company, Ottawa’s CRYPTOCard, focuses on simplicity by replacing fixed passwords with token-generated, one-time-only logins. When a simple user name and password login isn’t good enough, says CRYPTOCard senior vice-president Bill LaHam, outfits want something better.
“If you’re looking at something better, how do you put in something that people can use? That’s the big thing.” Administrators can make the passwords as long or as short as they want, but all the complexity is hidden from the user.
“All it is, you push a button. There you go. There’s your pass code. As a user, I don’t have to remember anything, I’m not going to be debating security policy with an administrator. An administrator is not going to come to me and say ‘every 60 days you have to change your password and by the way, you’re logging into six systems so you have six passwords.'”
Both WinMagic and CRYPTOCard have seized the idea that usability is critical. As Randy Sutton says, “It has to be simple enough for people to use without thinking, and I mean without thinking. Just the same way you would use your BlackBerry or pick up the phone to make a call. It has to be like that.”
When users are forced to follow a rigid process, particularly one they do not understand, it’s understandable that without constant reinforcement and supervision, they will begin to cut corners.
Faster processors mean that IT security programs no longer carry a big overhead in decreased performance, so users no longer complain about slower speeds. The main factor now is ease of use both for users and administrators. Sutton says the most important factor is centralized management. “You have to use a console and you’ve got to be able to control the users,” he says.
Federal clients like the Department of Justice and Statistics Canada with highly mobile workforces are adopting the solution because they are driven by the need for remote access, LaHam explains. “Because as soon as you’ve put remote access capability up, anybody in the world can bang away at that door.”
LaHam admits that managing physical tokens in large organizations can be demanding. Distribution, training and management of tokens all add cost and complexity to the CRYPTOCard solution, but the solution also simplifies life when people move or change jobs – instead of resetting a multitude of passwords for networks, devices and applications, administrators can make one entry to the database.
Add up the cost of help desk support for other solutions, and LaHam says the one-time cost of token distribution can look much more reasonable.
He thinks one of the key features of CRYPTOcard is the reduced workload for administrators. “That’s the key. You take a look at the workflow side of it and you go ‘Man, if I can reduce that to near nothing, that’s a good thing.'” Is the potential for reduced cost of ownership reflected in RFP’s?
“It should be. They should be looking at mechanisms that offload the work, distribute the work or minimize the work,” he says. “In a lot of cases, the cost of putting something like this in will be offset in the first year just if you added up the cost of your help desk.”
“It always comes down to what’s good from a security standpoint – what can you assimilate and what will your users tolerate, and how much are you willing to pay? It’s finding the right balance between the three,” he says.
Richard Bray is an Ottawa-based freelance writer specializing in IT security. Contact him at firstname.lastname@example.org.