There is an interesting statistic from the Ponemon institute that I’m always reminded of when I think about the security of computers. That is that the cost of replacing a lost or stolen laptop computers can total tens of thousands of dollars, with the cost growing with the seniority of the person that owns the device. The primary cost wasn’t in replacing the hardware, but instead related to the data that was stored on the laptop. When a laptop was lost, someone had to figure out what data may have been lost, and what data may have been exposed to unknown 3rd parties. The higher up the totem pole that person is, the more valuable the data is to the organization.
Many people underestimate the value of data until they lose it. Only when data is lost, or stolen, do most people realize that it’s the data itself, not the equipment used to store it, that’s the valuable thing.
One of the interesting things around discussions of BYOD and cross platform device utilization is the unwritten assumption data should be fluid, flowing from one device to another, depending on whichever device the person requiring access to that data has at hand. When there is a tradeoff between security and convenience in terms of making data as accessible as possible across a multitude of devices, it seems that convenience usually wins. For this reason, data that’s shared across multiple devices is rarely encrypted or protected. In the last few years making the data accessible across devices has taken priority over making data secure across devices.
As data becomes more fluid, it becomes necessary to assume that the data won’t be secured by the medium on which it is stored. Instead the properties of the data itself must make it secure. Today, if data is lost or presumed stolen, there are technologies available that allow organizations to block access to that data in the same way that they might remotely wipe an errant phone. Active Directory Rights Management Services has been a part of Windows Server for almost a decade, and allows administrators to revoke access to data believed lost or stolen.
At the moment AD RMS, which allows data to remain both fluid and secure, is only used by a minority of organizations. These organizations, however, are ahead of the curve. In the future, as an the awareness of the risks of data fluidity becomes more widespread, expect AD RMS to become more prevalent. Although still complex to implement and use, in future expect AD RMS to form a solid pillar of many organization’s data security strategies.
