16 September 2008

Why PCs are not secure

By Andrew Clifford

Here in the UK there is a constant stream of scandal as sensitive data is lost by banks, the police, the government, and pretty much everyone else. Rather than being a failure of "procedures", I see this as inevitable because of fundamental problems with the security of PCs and portable media.

I want to cover four problem areas: boundaries; the personal nature of PCs; developing with live data; and system management.

Boundaries are perhaps the best understood. The more places that hold sensitive data, the bigger the boundary that must be secured. Holding copies of data on PCs gives more places from which the data can be compromised.

The personal nature of PCs is a threat. PCs are productive because they bring together multiple features (internet access, email, office applications, portable media) in a way that lets the user decide how the work is carried out. PCs are effective precisely because they are not fully controlled. In this environment, it takes constant vigilance to ensure that sensitive data is not compromised. Locking down PCs, such as disabling USB ports, might help, but ultimately holding sensitive data on a PC is like keeping banknotes in a briefcase - it is just too hard to keep secure.

People want data on PCs so that they can query it as they need. They typically use live data to help them understand the data and develop queries. But to successfully develop queries in this way, you need unfettered access to play with the data, which makes it impossible to fully secure.

To overcome this, we need to design queries without accessing live data. This requires more advanced data analysis and data manipulation skills, but this is an absolute must if we want to query sensitive data without compromising security.

The most fundamental security flaw with PCs is that they take sensitive data outside a managed system. Sensitive data needs to be held in systems with certain characteristics, such as access controls, secure physical locations, logs, and so on. The only way that these characteristics can be enforced is to build them in to the system that provides access to the data, and never take the data outside that environment.

I think that holding sensitive information on a PC can never be fully secure however much we surround it with technology and procedures.

Sensitive data must be held in a properly controlled environment, which in today's technology means server-based systems outside of the control of the user. All access to the data must be through pre-defined and controlled routines. All interfaces to other systems must be similarly defined and controlled.

Where query access is required, the system must enforce rules to prevent leakage. For example, the system should enforce a maximum size of the result set from all queries, to prevent the user simply copying all the data into Excel.

I know this is hard. But the alternative is a never-ending battle to reconcile the irreconcilable - a productive PC under the user's control, and sensitive data that must have additional controls. You might be able to keep PCs sufficiently secure for most confidential information, but for really sensitive data, PC security is just too hard.