17
•
Many devices use a simultaneous combination of hard disk, flash, EEPROM, and other
technologies to store a variety of different types of information. An encrypted drive may
protect some information placed in non-volatile storage, but not all. These are important
questions to ask the MFP manufacturer:
o
What information is stored in non-volatile storage?
o
What types of non-volatile storage is in use?
o
What information is stored where?
o
Which non-volatile storage has encryption?
o
Which encryptions meet external specification (e.g., FIPS)?
•
The company should determine who manages the equipment/IT of the servers and laptops. If
this is an outsourced or external company (e.g., retail service), then steps need to be taken to
secure these paths to their data as well.
•
The company should also evaluate their laptop security for their drives. There are fifty
laptops and only three MFPs. Laptops are often removed from the building which has access
control and taken to places that do not have access controls. Hence, why stolen laptops
make the news quite frequently.
•
The company should also evaluate how they are backing up their laptops and servers and the
availability of that information (e.g., DVDs lying on a desk, and so on)
Let’s look at another case, based upon the same scenario:
A small company with about fifty employees has standardized on three MFP models to handle their
printing and imaging needs. To save costs, they also standardized on laptops with docking stations
for personal computers. From a physical access control perspective, the company’s building is badge
accessed controlled and their LAN equipment and servers are in a locked room controlled by their IT
department. All of their laptops and servers have encrypting storage systems and their backups are
encrypted and securely stored. About 15 of these employees are working on a next generation
product that is critical to the success of the business. All computers and MFPs are managed by an
internal IT team staffed with employees of the company. The IT department believes it is a good
idea to protect company’s intellectual property by purchasing encrypting hard drives for their MFPs.
Here are some situations where having encrypted hard drives on the MFPs may help protect the
company just outlined:
•
Theft: The MFP itself or the hard disk drive of the MFP is stolen.
•
Warranty Replacement or Upgrade: The MFP is replaced or the hard disk of the MFP is
replaced due to failure or upgraded to another type.
•
Selling equipment to another user/company: The MFP is sold as a used device.
•
Recycling this equipment: The MFP with the hard disk is recycled.
•
Throwing the equipment away: The MFP with the hard disk is thrown away in the trash.
Technology can help people when they make the wrong decisions - like forgetting to lock a door or
mistakenly throwing away sensitive equipment. It can also help when in defense-in-depth situations
when other security measures have been defeated – for instance a break-in which sounds an alarm
but the thieves are able to escape with valuable information.
How People Can Hurt Security Technology
Let’s move away from the encrypted hard disk example to a technology like SSL. A person may
object to the previous analysis and say “Look at SSL – it was a security technology and it changed the
way people shop and allowed for e-commerce – people aren’t really involved in SSL and therefore
decisions that people make can’t hurt SSL.” SSL is a technology that did allow for a new consumer
shopping era to be ushered in. Unfortunately, people can make decisions to undermine security
