Laptop Liability
Friday, June 2nd 2006 | Ismael Ghalimi
There is not a week that passes by without media reports of data loss or theft. And we can safely assume that what gets reported only shows the tip of the iceberg. More often than not, this results from the loss or theft of a laptop where some sensitive data was stored for analysis purposes. In an instant, millions of credit card numbers or social security numbers are gone in the wild, and there is no way to know what the person who will find the missing laptop will do with it. Most likely, nothing harmful. But who knows? And how can we be sure? This laptop liability might very well be the strongest selling point for Office 2.0 alternatives to Microsoft Excel.
Nothing sells better than fear, especially to IT managers who do not want to make the headlines for some major security breach into their systems. Once they realize that letting people download gigabytes of data for analysis on a laptop using a spreadsheet editor such as Microsoft Excel, they will start looking for a better alternative where data remains online, is manipulated through an online spreadsheet such as Zoho Sheet, and massive data exports are not allowed without proper privileges. For some corporate users, the online spreadsheet editor will have to be hosted on premise for security and confidentiality reasons, but for most small and midsize businesses, a Software as a Service solution will be good enough.
Such a realization is called a compeling event, and Office 2.0 will need more than one for it to go mainstream. We can find such compeling events for most categories of applications — many are listed on my Rationale for Office 2.0 article, and eventually the benefits of going online will overcome the temporary limitations of online alternatives to traditional office productivity applications. It’s only a matter of time…
Entry filed under: Office 2.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I think security will still remain a problem, although maybe not to the degree it is now. Too many of us have a tendency to store our passwords in our browsers or have autologins to the services themselves, which could circumvent the best efforts of company IT departments. I myself use autologins for several services on my home computer, although I don’t use them at work or on my laptop.
Robert,
You’re pointing to a very real issue. Down the road, Office 2.0 will have to be secured with strong biometrics authentication and/or personal password generators that you can attach to your keychain. Such solutions are available today at a reasonable cost, and all we have to do is make them more mainstream by having vendors such as Google or Microsoft actively promoting them. We should get there within three to five years.
Robert & Ismael:
Nice points. Office 2.0 providers sure should be thinking along these lines.
Interesting points, but in my opinion they only scratch the surface. I believe there is a common approach that can be deployed onto laptop hard drives and server-hosted options: a simple and usable encryption solution.
One of the key (pun not intended) problems with the concept of Office 2.0 is the thought “do I want my sensitive data hosted by someone else?”. This applies more pervasively than is first apparent — even if you save the results to your machine, for the work files and other temporary data will have been held by the host and any number of machines on the route to/from it. Normally this information is overwritten and lost, but for really critical data, relying on this may be a risk.
For my personal letters, notes, and ramblings, there is probably no risk; for commercial plans it may well be worth the effort for a competitor or organized crime to set up “man in the middle” recording, or other attacks. It is businesses that will drive adoption for Office 2.0, so we need to alleviate their legitimate fears.
Note that it is not just the contents of files that need protection — often a lot of information may be inferred from metadata such as file names and the existence or timing of their creation.
What would be nice to have is a simple, standards-based, easy to use [otherwise people won’t use it] transparent encryption technique. This would ensure that data stored on the laptop is useless to anyone who doesn’t supply the right key.
The need for an open standards-based approach is vital; allowing a company to define standards — or worse pollute them with their own proprietary extensions and “improvements” — is a sure fire invitation to vendor lock-in.
There are already implementations available — many of them are open source. What is needed is the thinking to bring them all together in a user-friendly way. Suitably implemented it could also bring benefits of authentication and non repudiation, giving “signature status” to documents.
The disadvantages behind the scheme are the ability for major providers to hijack the scheme and lock people out unless they pay (e.g. DRM systems); denial of access to competitors through the use of polluted standards and “trusted” status; interference from various governments [demanding access to data — e.g. RIP in the UK and PATRIOT in the US]; hosting policies for Office 2.0 suppliers [e.g. offering free storage in exchange for reading your documents to direct targeted advertising]. None of these are technical issues — they are all policy/implementation/political problems that need to be considered.
Overall, I believe the advantages outweigh the disadvantages, but it will take a few more high profile losses to make a strong-enough business case to convince many people.
Interesting times ahead…
Hi, Andrew!
I agree entirely with your comments. My concern remains sloppy and lazy implentation by users. It doesn’t matter how strong or secure an encryption system is, many users won’t use it, will fail to fully utilize it, or take shortcuts around it. We already have way too many instances of laptops being stolen with sensitive data that apparently have not had been properly secured and/or encrypted.
On a roughly related matter (corporate info hosted on a third party site), I uploaded the Microsoft Word document I’m supposed to use for my “Performance, Advancement, and Development” (PAD) plan to both Zoho Writer and Writely, and neither rendered the tables correctly. Abiword didn’t work quite right, either. I guess I’m stuck with Microsoft Word.
The PAD form, as far as I can tell, does not have any of what I consider sensitive information. Unless someone really wants to know what my job goals are for the next six months…
Hi Robert!
I missed out on the opportunity to get on the Writely test.
I have tried Ajax Write with limited success.
On the other hand — and even more off-topic — I have found OpenOffice.org to be an excellent replacement for Microsoft Word and wouldn’t hesitate in recommending people to give it a try. I use it exclusively at home on my Linux box and find it less frustrating than Microsoft Office — the Microsoft Windows version is 100% compaible. Exchanging documents with Microsoft Office is a breeze.
I am not affiliated with OpenOffice.org, so this isn’t a paid advert…
Trackback this post | Subscribe to the comments via RSS Feed
Leave a Comment