Personal details of 50,000 current and ex RAF personnel was lost on September 17. From a high-security area. The sensitive information was stored on three external hard drives that were not protected with hard drive encryption software like AlertBoot. This case is something of a calamity, since it’s more than a lost or stolen disk. Unlike the incidents over the past year, this isn’t a case where an officer used poor judgment and took sensitive information to McDonald’s, to a pub, or to a club. Someone managed to steal it from what I’m led to believe is a secure space.
Food for thought, no? While blogging about security breaches over the past year, I’ve come across way too many instances where web surfers would decry the fact that stolen data was placed in laptops, USB memory sticks, external hard drives, etc. – anything that seemed portable. They claimed that sensitive data should (and if it were up to them, would only) be stored in data centers, where the appropriate physical security would be in place: cages, automatic and electric locks, armed guards, walls with no windows, steel doors, the works. I never could wrap my head around that. Not because I don’t think that securing data is important, but because people assume that stuff in data centers is not portable.
Technically, anything that was not present in the construction of a data center is portable. I mean, those blade servers didn’t come pre-installed with the data center; they can be taken out the way they came in. I know this because I’ve done that.
And, sure, they’re bigger than a USB drive. So what? If someone took the time and spent the energy to break in successfully into a secure location, they’ll find a way to get at what they’re looking for. A data center is more secure than the locked trunk of a car; however, “more secure” doesn’t mean “better security” anymore than “more chefs working on your broth” means “better soup.”
Use encryption to protect your data. It’s about the only thing out there was invented to protection information. Let me repeat that. It was invented to protect information. And it does its intended job very well. Just ask the NSA. Or the CIA. Or their equivalent in other countries.
If you use disk encryption, for example, as the RAF should have done with the three missing disks, it doesn’t matter whether the disks were left in a locked cupboard (as they actually were) in an Air Force base; an unlocked cupboard in your granny’s pantry; a locked glove compartment in a car; or in a data center. Why? Because the information is protected regardless.
And isn’t that the point of protecting information? As opposed to making a show of protecting information?