http://www.theregister.co.uk/2009/09/02/uk_eu_data_menace/
Nice, a story about another loss of important computer data, in this instance the supplier of a government gateway data system had a load of access codes on a USB stick and dropped it in a car park. Of course, the person will probably be sacked but again, I protest, that so-called system experts are missing the basics of data security. I have gone through them before but:
People make mistakes so design the system so they can't
Rather than the old excuse, "well never mind, mistakes happen" which gets touted a lot by the government (because they make lots of mistakes) we should build things in a way that prevents those mistakes or at least makes them unfeasibly hard. You wouldn't take all the windows out of a school building and then when a child falls out and dies say, "well never mind, mistakes happen". You put railings in because you know that mistakes happen, you might even put the windows back in!
Software and computer systems are no different. If you do not want people to take copies of personal data (and you generally don't) you only physically allow authorised machines to connect in and they have their USB ports and disk drives locked-out. You run in a terminal window so you cannot copy things to your local hard drive or you simply do not allow things like copy and paste. Not rocket science honestly. What happens then is that someone has to take a photo of the screen (unless you set the contrast low!) at which point you know they have done something totally unacceptable which is not the case with a USB drive ("I just needed to take this home to work on the login screen").
The principle of least privilege should be at work but I am still convinced that most IT companies don't have a clue about it.
No comments:
Post a Comment