Unlike a lot of technologists I don’t have a bevy of personal computers I use. I only have one primary computing device, one phone, and that’s it. Yes I have a couple of computers for work that are used at work and remain there. One sits in my desk drawer and hasn’t been turned on in a couple of months. The other is used to access my email when I’m at work, and often isn’t turned on. I also have a BlackBerry device that is my away from work email device (doesn’t even have voice services). The BlackBerry remains in my computer bag usually turned off except for when I’m traveling.
My work computers are what some in the information technology world call orphan devices. Since the restrictions on information technology are so egregious I only use them for very specific and very few tasks. As orphans they are very secure locked in a desk drawer with dead batteries.
If my work had OWA enabled I’d not even need the BlackBerry or the computers at all.
My personal computer has been secured using the security guide from NIST and the operating system manufacturer. I also run a variety of little tools to find known bad things on the computer should I get shwacked. Which using my personal computer on public wireless networks and in other places off ill-repute is basically a given at some point. Note, that if I was using my work computers the risk would actually be higher because they manage the patch roll-outs and are always going to be behind the zero-date threat envelope. So, from the perspective of risk management I see myself actually protecting the “companies” network from being exploited.
What about all that secret data from my employer? Well, actually with the exception of shared disk storage all of my work is done through web applications. There is nearly zero reason other than email for me to utilize the company information assets. As such I can use my personal computer with applications that I have either bought or used from open source. Since telecommuting allows access from personally owned devices to the web apps, and in fact many of the human resource applications require a non-company identification I’m even within policy.
There are a few applications that require significantly higher security and are still accessed from my primary work computer, but they are the few personally identified verification systems requiring very specific credentials. So, when you think about accessing information systems and you look at your enterprise environment how are you balancing access? How are you insuring you aren’t acquiring and providing significant funding for orphan computers? We’re not talking about going around or violating information security policies we’re talking about an absence of need. When you look at the orphan computer syndrome you’ll find some of your security leaks, and you’ll find the actual cost for restrictive or mission impacting security. You might find that your mitigation costs are much higher than you’ve been counting as the policy mechanisms instantiated are not reflected in the reality of the enterprise. In fact your costs for providing orphan devices may make your security costs substantially higher.
We’re talking about the mission assurance aspect of information security.
The error in enterprise risk management of information assets we’re talking about is not understanding the usability quotient and cost. We try and create behavioral change in information security posture of users, but at great personal cost and often a steep learning curve we’re actually driving users out of the enterprise into shadow information technology. We can get information behavioral change but it is likely not in the way you are expecting. You know this problem exists even if you don’t have an open model. Your c-suite has been purchasing iPads and other consumer grade devices forever and you one-off them into the enterprise because they are the associated validators of risk. Complain if you want but it is their choice. It is also happening below you.
If you are an information assurance and security professional looking at risk to the enterprise you should be thinking about the orphan laptop problem. It is much more important than the shadow information technology program. The orphan laptop problem means your security management techniques have impacted mission essential aspects and people have sourced replacements to go around you. If you catch them they will likely get in trouble, but if their managers or the c-suite find them first you will get in trouble. What the security professional is doing is contrary to mission effectiveness, and what the employee is doing is innovative cost containment and use of initiative to the corporation.
It is hard news and information security professionals do not like this answer. The problem is that when you look at information security as risk management and a holistic process inclusive of the business mission the answer isn’t a binary.
Orphan laptops are proof you’re not doing good mission assurance along with your information assurance.