ranting about data-centric security and the media

Random link from Full-Disclosure: mlabs.secniche.org

I hate to post more rants than useful content on here, but this week has been too busy for much more than ranting. I saw an article about the dangers of unauthorized teleworkers, that is, those workers who bring work home with them and possibly work on their home computers.

The report found that 63 percent of respondents who worked from home unauthorized — more half of the non-teleworkers surveyed — used their home computers in doing that work. “People were saving documents on their home computers that were unprotected,” said Josh Wolfe of Utimaco, a data security company that underwrote the study.

“We’re not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that,” Wolfe said.

I like security, and I like to think I have a (healthy) paranoid/security-conscious mind, but I really believe we can go too far very easily. While government employees maybe shouldn’t take work home with them (and yes, I pointed out that second blurb to show that maybe all those workers had non-sensitive materials and were working on presentations or some junk), I hate when articles like this make their way to other circles and present things without proper context (I expect to see this study referenced in non-government articles soon…). Take a small start-up company. Yes, those people likely take work home with them, it happens, it is natural, and at some point every single one of us does it.

Yes, we have to be conscious of our data leaving the confines of our happy networks, but we can’t obstruct our users trying to make the business successful. That’s one of the (few) issues I have with data-centric security. Trying to secure the data eventually impacts the success of the business and the happiness of the people.

One other note I had from the article is about how data-centric security really only works when you can classify your data and separate the sensitive or confidential stuff out. Data-centrism is great for that classification and for being conscious of the security of your really sensitive data, but it breaks down and is ineffective and inefficient for the rest of the data. It can also be theoretically effective when you just declare “all information is sensitive so let’s encrypt everything!” But that gets into a realm that is just not really going to be possible yet, at least at the level of near-perfection that statement alludes to while allowing employees to do their work and be an asset.

Maybe this is just the media being way too sensational about digital security still. We don’t see dramatic reports about how people’s homes are insecure because, while we have a deadbolt in front and back, our windows can be smashed, oh my. Security isn’t perfect and never will be, and I’ll continue to bristle when media or persons have an underlying tone that anything less than perfection is inadequate. Maybe our industry does get it, but damn if the media still stirs us up and gets our blood going still.

Maybe I should further limit my chosen media outlets away from journalists…hehe! Hell, I’ve been tracking the front page daily headlines on cnn.com and it reads more like a tabloid or YouTube front page than anything anymore…