Modernizing Authentication — What It Takes to Transform Secure Access
During the past few months, I've reverted back to being a ''roadwarrior'' of sorts. Apart from spending far too much time with my 1Kbuddies over at United, all the travel has made me think about thesecurity of the data on my laptop, PDA, and (Linux-based) phone.
Think about it a bit... How do you protect your data on your travelinglaptop? Chances are that your company supplied you with a laptop alongwith the usual suspects of security software: anti-virus, personalfirewall, and maybe even some anti-spyware software. If you're reallylucky, you also got some encryption software and such with that laptop --even if you had to buy it and install it yourself.
But what about your data? Allow me to explain.
While traveling, I've been watching what other travelers do, in additionto being perhaps a bit overly paranoid about my own data. Here are a fewthings I've noticed:https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i We all have some of our own stuff on our laptops, personalelectronic gizmos, and such. It probably covers a spectrum from 'so whatif I lose it' (e.g., copies of our favorite music files) to 'I don't wantanyone else to get this' (e.g., local copies of personal financemanagement software). You've probably got some personal email, as well.
Consider, too, the shared security attributes of the sites that weconnect to. Ever use that public access 'business PC' at the hotel toprint out your boarding pass for tomorrow's flight home? How did you loginto the airline's Website? Do you use that username/password anywhereelse? Not a problem, you say, since the Website is SSL encrypted? Don'ttake that confidence to the bank!
When we travel, we're not always as careful as we ought to be aboutour data. When you put your laptop through the airport securitymagnetometer (sometimes erroneously called a metal detector), do you makesure your laptop went in before you walk through yourself? When you're ata business meeting, do you leave your laptop in the meeting room whileyou and your buddies go out to lunch? When you leave your hotel room atnight, do you leave your laptop in the room?
Are you thinking I'm being too paranoid? I've heard that many times.However, consider this: I've had two laptops stolen out of the trunk ofmy car in broad daylight while attending a conference, and I've had myhotel room broken into and personal items stolen twice while on vacationwith my wife (in the paradise of Hawaii, no less!).
I'm not making up bad things that might happen. I'm responding to badthings that have happened to me. If that doesn't make a (security) guyparanoid, I don't know what will.
So, here are a few suggestions on how you might want to protect yourdata. Well, you also can protect your company's data this way, but let'snot kid ourselves as to why we really want to protect what's on ourlaptops. Be paranoid and vigilant. Keep your valuables with you at all times.Sure, it's a pain to carry that bulky laptop bag to lunch, but it's worthit.
Never, never, never enter re-usable username/password credentials ona public access computer. The chances of that computer not being averitable digital petri dish of malware are very low. The chances ofsomeone else snarfing your username/password or other sensitive data --you didn't use a credit card there, did you? -- are significant.
When I use a hotel's printer, I put the file I want to print onto a USBstick and take the USB stick to the public access PC to print the file.If I'm feeling really dirty after that, I re-format the USB stick on myLinux machine at home. (Even printing directly from a Web application(e.g., airline boarding pass) is easy this way if you use a virtualprinter like eFax (www.efax.com) to capture the printer output and saveit into a .TIF file.)
If you travel with a PDA, smart phone, or other personal electronicdevices, make use of all of the security features that they have tooffer. For example, my phone is GSM-based, and I use the PIN lock featureto lock the small SIM smartcard inside the phone. That way, if someonegets my phone, they'll have to enter the PIN to use it, and after threefailed entries, the SIM locks itself and all the data on it. That won'tstop everyone, but it'll sure slow down a lot of people.
If you use wireless networks when you travel (and who doesn't thesedays), be certain to use good personal firewall software on your PC, aswell as an IPSec-based VPN to connect to your office network, if at allpossible. That'll keep the miscreants at public hotspots at bay. Atleast, they'll be more likely to go after someone else...
Encrypt the stuff you don't want anyone else to see. Oh, and storethat stuff on small, removable media that you keep with you at all times.I grabbed a 1 gigabyte USB2 stick about a year ago from one of themegastores when it went on sale for about $40. In fact, I keep a few USBsticks with me. They're perfect for protecting my most important stuff(like draft copies of these columns, of course).
The stuff that's too important to keep even on a USB stick thatstays with you at all times should not be traveling. I have a couple ofPGP secret keys that don't leave home, for example. I also don't travelwith the RSA one-time password that I use to access my investment funds.That stuff can wait until I'm home. The ox is slow, but the earth ispatient.
Oh, and you do have backups at home, right?
If you're thinking all of this advice is fine and well, but it would takefar too much time to actually implement, consider the amount of time andeffort it'll take you when someone steals your identity and riddles yourpersonal credit history with all sorts of nasties that you could haveprevented.