FDE and VPN: Don't Throw out the Security Baby with the Legacy Bathwater, Part 1
By Cameron Laird<a href="http://vpnhaus.ncp-e.com/wp-content/uploads/2011/11/baby_bathwater.jpg"><img class="alignright size-medium wp-image-2396" src="http://vpnhaus.ncp-e.com/wp-content/uploads/2011/11/baby_bathwater.jpg?w=300" alt="" width="300" height
In "Die, VPN! We're all 'telecommuters' now--and IT must adjust," John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now:
- Work is as likely to take place outside the office as in;
- Work in some domains has become as likely to take place on an employee's device as one owned by the corporation;
- A large percentage of all work can be done through the Web; and
- "Endpoint" (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can't help but end up in the wrong hands.
The situation is unsustainable; what should be done?
Welch's conclusion: adopt full-disk encryption (FDE)--and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here's why:
What is VPN?
First, let's review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks--everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon--and also that there is inevitably more than one technique to complete each task or fulfill each requirement.
Even the simplest analysis of the "remote problem" exhibits these characteristics. Let’s begin with Welch's starting point: much of the work of the future will be done outside the conventional workplace, and therefore outside the usual control policies traditional IT establishes. Everyone agrees that the fundamental data of the workplace deserves protection -- whether the business deals in customer names and addresses, proprietary product recipes, or factory inventories and outputs -- these details must be kept private. For an IT department, data appear in two states, "in transit," as it travels from central organization repositories to the hardware of an individual remote worker; and "at rest", which, for this purpose, means stored on the hardware of an individual remote worker. Welch's FDE prescriptions address "at rest" or "endpoint" vulnerabilities, with the assumption that any local copy--any file or document or report--of data on a remote machine is necessarily encrypted. In turn, to view company data, an unauthorized person would need not only physical possession of the remote machine, but also a key to unlock the latter's storage encryption.