Minimising data risk via the cloud

Dumb machines just may be the intelligent way forward in order to provide mobile and non-office based personnel with IT that cannot provide a treasure trove of information for laptop thieves.
Laptops often carry sensitive and even valuable information. It may therefore be worrying to know that one in 10 of those laptops issued to employees will be lost or stolen. More surprising is where they go missing. The area of greatest risk is the employees own home or their workplace. Nearly a third of all laptops are stolen from their owners’ personal addresses and where they are issued by an organisation as many as a half are mislaid or stolen at work. Of course they do also go missing in transit with over 3,000 disappearing from UK airports each week.
As the workplace becomes more mobile this issue of laptop vulnerability is becoming increasingly important both in the public and private sector. Often the approach taken by organisations is to count the cost of replacement. The BBC for example is said to have lost over £200,000 from the theft of 149 laptops over two years. But the cost of replacing the hardware pales into insignificance when the value and sensitivity of the data that they hold is considered.
There are an increasing number of examples of the costs of losing data when laptops go missing. A recent paper by the Poneman Institute, for example, found that each laptop could represent lost business worth an average of €35K. Even this misses the potential impact on business and public sector organisations where personal data is stored on mobile devices. Just this year Hounslow and Ealing Councils where fined a total of £150,000 when three laptops where stolen. In industry the fines have been much higher with the Nationwide being hit with a penalty of nearly £1m in 2007 and Skipton Building Society over £300,000 when a laptop was stolen from a gym. A further problem is the incalculable cost of lost reputation. The Skipton case goes back to 2005 and yet is still a cause celebre, hence its inclusion in this article.
Sometimes the information on stolen or lost computers is highly sensitive and goes beyond a fiscal cost. The damage caused by leaked information to newspapers or competitors can be incalculable and have far reaching consequences for business and governments. HMRC and MOD have both been victims of information loss through the ‘misplacement of discs’. In one case the personal information of over 25 million people in the UK were exposed to misuse and risk, with the subsequent enquiry (The Poynter Report) concluding that it was “entirely avoidable”. HMRC was moved to offer a reward of £20,000 for the safe return of the discs containing the entire database of child benefits claimants. The reward paled with the estimated worth of information in the region of up to £1.5bn.
So, what can be done to prevent this loss of data? There are a number of approaches that are available apart from the obvious one of good password protection policies – sadly even this level of security it seems is rarely followed by staff. Some of those available include locking down the operating system used, having an encrypted drive on the laptop for the secure storage of company sensitive data, setting up a virtual encrypted drive to which laptop data can be backed up online and lastly using strong encryption in the hardware itself (
These approaches all suffer from two common weaknesses. Firstly the data remains in the laptop where it may be vulnerable or is lost, and secondly it relies on a sufficiently strong authentication processes. Biometric alternatives may solve some of these later issues but one needs to remember that 10 per cent of the population cannot provide adequate fingerprint data. In the end, whatever these approaches are, they rely on the user following procedures concerned with backing up the data regularly and following pass wording or other measures. It also follows of course, that if the user fails to authenticate themselves the data may be lost for ever or take significant IT management time to retrieve.
It is these weaknesses that the new Ubiquitous Desktop Solutions® from Technical Services (a trading arm of Kent County Council) seeks to address. This new approach uses laptops and netbooks which carry no data at all to be lost or stolen and machines that are useless to any criminal as they cannot be reconfigured and cannot carry any local operating system. Each carries a label emphasising this point which may in itself prevent opportunistic crimes.
The system is based on the Oracle thin client architecture which provides remote desktops over the Internet using fully encrypted connections (IPSec on a VPN or TLS/SSL) which are accessed using dumb terminals via the Solarus system. This concept has been taken a stage further in with Ubiquitous Desktop Solutions® with the addition of laptop and netbook devices which are in effect mobile dumb terminals. Chris Geary of Technical Services explains: “The beauty of this approach is that the data never leaves the building. The remote desktop architecture along with the Solarus platform can be installed locally and managed by the in-house IT team which gives the organisation total control.”
Disaster recovery and data retrieval is also a costly process should the worst happen and your valuable information disappears. The beauty of operating on the cloud is that data is not stored locally, so the most you lose is hardware which is far less stressful and more often, far cheaper to replace.
The scope of hardware available on which information can be accessed over a cloud system has numerous benefits to business and education. By integrating a system which protects the information from access, should a computer find its way into the wrong hands, the risks are virtually eliminated. With an increasing array of supporting hardware from tablet computer to mobile phones, accessing your information is not only easier but also infinitely more transportable. The benefits associated with this mobility however do not outweigh the risks unless the information is secured.
Integration of operating systems which perform over a number of different hardware platforms expands user functionality and cloud computing offers the level of freedom to take business and education beyond many restrictions and boundaries offered by a conventional server based OS. The ability to do this without compromising information security is the key step change toward ensuring that mobile computing becomes free from the additional worry and stress of theft or misplacement of the device used to access that information.
The definition of ‘cloud computing’ covers a plethora of IT services and the terminology is both a simplification of its diversity and scope. Analyst Company Gartner describe cloud computing as: “A style of computing where scalable and elastic IT-enabled capabilities are delivered as a service to customers using Internet technologies.” The company also describe five defining attributes of cloud computing: service-based, scalable and elastic, shared, metered by use, uses Internet technologies. A key to cloud computing is an opaque boundary between the customer and the provider. It is this opacity which is the key to security for the customer. Google’s own definition attaches a further label ‘100 per cent web’. Primarily Google see cloud computing as no more than a secure and reliable device to access the Internet, enabling companies to do away with expensive infrastructure and allowing them to dispense with upfront capital expense and reduce maintenance costs.
There is a clear sense developing that this technology will be one of the major game players in 2012 for providing greater security and faster access to information. In the current business climate where IT budgets are being squeezed, it will make not only fiscal sense to look seriously at the cloud but also be provident in terms of housekeeping.
Given the costs and risks of managing laptops it is no wonder that they are often regarded with less enthusiasm by IT departments of public bodies than one might expect. Never the less as budgets are squeezed and work becomes more flexible, the pressure to support mobile working continues. Is there a solution?
One answer that has started to gain some traction is the innovative use of thin client technologies and one in particular, the SunRay system from Oracle which Technical Services have wedded with a unique "laptop" mobile device. Why SunRay and what is so unique about the "laptops" Technical Services are using?
Thin client technologies represent the older mainframe idea where dumb terminals are linked to a centralised processing unit. This heritage architecture has in effect been reborn in the new Internet age. Just as all data, applications and files where held by the mainframe and none where kept on the terminal so thin clients are serviced from a central server architecture, only this time the connections need not be local but can be over the Internet. SunRay is therefore ultra thin client and operating system agnostic. That means the terminal has no local software processing, needs no maintenance, lasts significantly longer than conventional PCs, and also requires a fraction of the power to run.
The twist that Technical Services have added is wedding this concept which they have been operating for some years internally, with a unique mobile Terminal. The result is a device which gives the same performance as a normal laptop but is in fact always connected to the centre via the Internet and has no local processing. In this way, it offers an elegant solution to supporting mobile working while eliminating the risks and much of the cost, because as Chris Geary, the head of business innovation at Technical Services points out: "The data never leaves the building." That means it can never be lost or stolen. In addition because they don't support any local processing, the devices themselves need no maintenance and if one is stolen it can be replaced fully operational straight from the box.

Please register to comment on this article