Owning the Platform

At AusCERT last week one of the speakers mentioned the regular autumn spike in malicious traffic from malware-infested student laptops joining the university network. Apparently this university supports the variety of equipment students inevitably bring to school, because they require or at least expect students to possess computing hardware. The university owns the infrastructure, but the students own the platform. This has been the norm at universities for years.

A week earlier I attended a different session where the "consumerization" of information technology was the subject. I got to meet Greg Shipley from Neohapsis, incidentally -- great guy. This question was asked: if companies don't provide cellphones for employees, why do companies provide laptops? Extend this issue a few years into the future and you see that many of our cellphones will be as powerful as our laptops are now. If you consider the possibility of server-centric, thin client computing, most of the horsepower will need to be elsewhere anyway. Several large companies are already considering the "no company laptop" approach, so what does that mean for digital security?

You must now see the connection. University students are the corporate employees of the near future. If we want to learn some tricks for dealing with employee-owned hardware on company-owned infrastructure manipulating mixed-ownership data (business and personal), consider going back to college. I think we're going to have to focus on Enterprise Rights Management, which is a popular topic. That still won't make a difference if the employee smartphone is 0wned by an intruder who is taking screen captures, unless some form of hardware-enforced Digital Rights Management frustrates this attack. Regardless, I think the next corporate laptop you receive might be your last.

Comments

Anonymous said…
Gartner is a fan of the "no company laptop" idea which is why I discount it. And Mr. Shipley is wrong. With few exceptions all the companies I've worked for (some dozen) - we did buy cell phones for employees and set up processes and procedures to manage it. And you don't have to way a few years - we are already replacing laptops with smartphones.

And your point about university students is not valid. While its useful information on know how university's tackle this threat - the acadamic environment is not the real world. Never has - never will be. Completely different model than your everyday corporation.
Anonymous said…
my phone has had a faster processor than my laptop for almost two years now (july). i have an old thinkpad and my phone is a samsung i730.

i would never buy another laptop - maybe a umpc, though. i think it's just the death of laptop, period. maybe companies will start to nix the desktops too and go thin client. maybe all applications will move to web 2.0 and we'll all use pdaphones to access them
Anonymous said…
the difference is that a company has a profit motive that relies on devices to be achieved. As an employee you pursue cash for the business bottom line. As a student you pay cash to learn something. If you want me to pursue cash for you and your stockholders you had better provide a system that I can be successful with. Failing to do that means that I am a freelance operator and you had better pay more than others to keep me interested.

They are different beasts with different motives. Lets not confuse them because it is convenient.
John Ward said…
I have to agree with Jason. If a company expects me to use my equipment for its purposes, it better not have any notion of ownership of any contents of that system. At a basic level (ignoring NDA's and other contracts for a moment), it means I can develop something for a company, and turn around and sell it to the highest bidder.

I've worked with companies in the past that had the "you pay to work" mentality, and turnover is high, which means cost goes up due to inflated training expenses.

I typically go with the mentality that if a company doesn't provide me with the equipment I need, I just simply wont work with them. If I'm held liable and out of pocket, its not worth my time.
Anonymous said…
Hi, I'm a little late to this thread. kicking PC's off the network is moving on a pace. BP are doing that for 18,000 laptops. Plus more and more products are allowing applications to go to clients without the clients being part of the network. take a look at G/On at www.giritech.com. Nodeless computing means not owning the client. Businesses could save a fortune.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics