Search Security: Not a Chance

June 16, 2008

USA Today (June 16, 2008) contains a story by Michelle Kessler. “Some Employees Buy Own Laptops, Phones for Work.” Navigate to a USA Today-equipped news stand or try to locate the story on the USA Today Web site here. Gannett is one of the traditional publishers whose Web site often befuddles me. Chasing down the story is worth the effort.

The key point for me is that the USA Today figured out that the expediency, management laxity, and financial pressures have changed the rules for providing employees with company-purchased computers and mobile devices. The data in the article are the usual “big numbers for big impact” and nifty looking charts. So forget the assertion that 39 percent of employees buy a laptop for work or that 43 percent purchase their smartphone. Divide these figures in half. The problem is clear.

If you have any illusions about the security of information in a search and retrieval system, you want to rethink your assumptions and question the assertions about secure behind-the-firewall search. In the work that I do, when an outside device is live and connected within an organization, a security problem exists. True, nothing may happen. But when a single outside device is behind the firewall and capable of receiving information from the organization’s system, a security risk exists. Feel free to pooh-pooh this if you wish.

In one investment bank, the information technology department locked down access to the Internet, instant messaging, and external mail accounts. What was the work around? A personal smartphone or a low cost access device with a secure digital slot or a USB connector.

I chuckle when search system vendors make their security features the key differentiator for their online search systems. Most vendors use the security procedures in place and do not try to layer more security on top of the organization’s existing security methods and systems. Verity’s token system was one of the better approaches. But even that method is vulnerable when users have their own gizmos behind the firewall.

The USA Today article makes it clear that organizations are allowing employees to purchase computing devices. The horse is out of the barn. A happy quack to the USA Today editor who okayed Ms. Kessler’s story.

Stephen Arnold, June 16, 2008

Written by Stephen E. Arnold · Filed Under Enterprise, News, Search

Comments

2 Responses to “Search Security: Not a Chance”

Marc Arenstein on June 16th, 2008 2:06 pm

The best way to solve the security issue might be to put search on a separate
network connected either to lean computers or computers without wireless, usb, optical or floppy drives. Some stations can be set aside for limited net access, however with some level of supervision or open logging to prevent unwanted breaches. I am all in favor of 100% unsupervised open use but only on stations set aside for that very purpose and isolated from voluntarily or accidentally damaging valuable systems.
Stephen E. Arnold on June 16th, 2008 6:09 pm

Marc,
Thanks for the post. I like your suggestions. I wonder which enterprise search vendor will assert a solution to this threat to search security.

Stephen Arnold, June 16, 2000 7 10 pm Eastern

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.