I just read the following article about a British laptop stolen containing sensitive data of military recruits. Notice the article does not seem to mention that the data was being encrypted while at rest (stored on the laptop). An effective information security policy when carried out would insist on such a laptop having at the very least an encrypted file system and difficult passwords which expire in a timely manner. This would ensure that the thieves would only have a small window to try and break the password before it expired.
Mobile data seems to be a fertile area for compromises. Even the best information security policies can be violated with virtually zero awareness by the information security staff. Risk mitigation could be undertaken by using encryption wherever possible and as brought out previously in my blog to use an EFS. Even if your database uses column level encryption then I would still recommend on mobile devices to use the EFS if performance permits. In this case performance penalities would probably be paid by only one person (the user of the laptop). By using both column level encryption, EFS, and strong passwords which expire in a timely mannger you would ensure that a defense in depth or layers.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment