We were recently contacted by one of the university’s departments to discuss their concerns about client-side data security. Their worry was that confidential material from their users’ mailboxes would be cached in Outlook’s offline store. This represented a possible data vulnerability in the event that a computer were to be stolen. The department had proposed, as a solution, that Outlook’s caching should be disabled. Users would work online, minimal confidential data would be stored on the hard disk and all would be well…
Now it is true that the locally cached copy of a user’s email represents a possible target for the malicious. But tackling a perceived data vulnerability issue via Outlook’s offline store is to overlook countless other areas of equal or greater concern. From my team’s perspective a large number of Outlook clients failing to use caching represents higher server load. These users would have poorer Outlook performance and lose offline access to their email when away from a network.
Disabling Outlook’s caching is not a great idea for performance, server or client. It also doesn’t really address the data vulnerability issue anyway. Even if we were able to force the whole university to use Outlook on their desktops1 there is still a vast array of users’ own devices to which data might be transferred.
If you have content that needs to be secured, my experience is that the end-user represents the weakest part of any security environment: servers are very likely to be fully patched, in a secure datacentre, audited, monitored and protected by strong security policies with ‘least privilege’ access. End users, on the other hand, tend to resent and resist security, only complying where it is impossible to avoid or where non-compliance has sanctions attached.
There are countless security options available but by far the most powerful is to require a strong password: naturally the university does this already. But in a form of arms race the end user can respond to this with software which caches this password for them. The best solutions to the problem are, in my view, ones that are unavoidable by users. Avoiding any additional user inconvenience at the same time is a bonus. However finding that kind of solution needs a more detailed understanding of the problem.
In the case of our department’s query, a bit of probing eventually revealed that the concern related solely to the possible theft of a departmental computer. The aim was to provide a security enhancement that should ensure that a casual thief would be unable to recover content from a stolen machine’s hard drive.
Preventing Outlook from duplicating mailbox content locally does, sort of, achieve that aim but overlooks the very real possibility that users may still be putting classified material onto their local computers. Saved attachments, PST files, and MSG files represent just a few of the email-related possibilities. But confidential data doesn’t just move around via email. Plugging one possible route doesn’t affect others.
The ideal situation would therefore seem to be something that doesn’t require user interaction or effort yet secures whatever data our users might care to store on their computer’s hard disk. Fortunately technology comes to the rescue – most of the university’s current crop of desktops have a TPM chip which offers a very simple way to secure hard disks. A brief foray into the BIOS might be needed to activate TPM functions but then Windows can do the remaining heavy lifting. The Enterprise / Ultimate versions of Vista, Windows 7 and Windows 8 all include Bitlocker. This is a hard drive encryption technology that doesn’t generally require any user interaction – they may not even be aware of it.
Bitlocker’s decryption key is held within the computer’s TPM module so, as long as the TPM chip sees unmodified boot files, the operating system will power up normally. From that point onwards of course we do still have to depend on the user having sensible security settings. It is therefore while a computer is turned off that Bitlocker offers a reasonable defence against data loss. It would be foolish to deny that routes still exist to attempt data theft, but those routes need someone who is both highly technical and extremely determined. TPM’s vulnerability relies on a cold-boot attack, extracting the decryption key from the memory of a recently-shut down machine. This is hardly something a casual thief is likely to undertake. Password phishing probably represents less effort for greater gain…
In the case of computers without a TPM chip, Bitlocker will require the user to supply a USB key or provide a PIN in order to power on. Although this represents a hassle for the regular user, and lacks the transparency of TPM’s approach, it can be even more secure: it makes cold-boot attacks from a really determined hacker that little bit harder.
In my view Bitlocker represents one of those features that, if it’s available to you, you should use it. It’s not perfect by any means but, with a TPM-enabled computer, is completely transparent to the end user. It offers full disk encryption that will make most, if not all, data theft uneconomic.
1 Good luck with that idea.