Monday, 24 March 2014

Australian privacy laws and information security

With the new privacy laws in Australia, companies that deal with confidential data, such as my current employer, will need to take some extraordinary measures to try and control what data is copied externally. For instance, any flash drive plugged into a computer will need to be an encrypted, pre-approved device. This raises a few questions and problems. For starters, how do you even enforce a policy like that? It will have to be done at a system level, rather than an external guideline, or else we are not meeting our requirements. I don't think Windows has any way to do that, though I wouldn't know for sure. And if it does, how do you make sure that nobody can get around it? The control would have to be at a very low level, or else people will be able to bring in a live Linux drive, plug that in and work around all the security you set up in Windows. And if there's a security vulnerability discovered in the encryption software you use, which there may be, how do you make sure the flash drives all get updated?

Next, for anything you do allow to be copied off the machine, you need an audit trail to say who copied it, where and when. That's more complicated still. It's a DRM problem, and those always involve twisted thinking. There's always a hole.

Mokalus of Borg

PS - Securing a computer against its own users means it's not really a computer any more.
PPS - I guess we just do our best and hope it's enough.

No comments: