Who's device is it anyway? BP tackles information leakage

The corporate network should be seen as porous

Global energy giant BP is exploring numerous techniques to prevent sensitive information making its way out of the organization - including how best to deal with employees' use of third-party services.

Vice president of digital security and CISO of BP International, Paul Dorey, said information security involves the trust between two environments - the corporation and the individuals.

BP used to give third parties a company device, which could, to some extent, be controlled, but some of the contractors became inundated with devices required for both business and personal use.

"The digital device is more about my digital interface to the world [and] who owns it may be an academic thing," Dorey said. "My car is owned by the company, but I use it for personal reasons. There are issues, however, because it potentially provides a gateway into the network."

During his presentation titled "Who's device is it anyway?" at this year's AusCERT information securing conference on the Gold Coast, Dorey conducted an ad hoc survey of the audience that revealed more than 80 percent of people are using work's computer to manage personal information.

At BP, with some 75,000 end users including contractors, a survey indicated as many as 15,000 are using iTunes.

"What about e-mail and IM? I did a quick survey on the Internet and reasonable use is okay," Dorey said. "If you are booking a holiday we don't want you to go home to do it and then drive back to work. It's a reasonable thing. Limited personal use is okay."

Dorey said nowadays removing IM from someone under thirty is akin to removing their ability to communicate.

"This is the world they like to operate in. Isn't your community of interest part of your value to the organization? To suddenly expect people to don a suit and not use that form of communication is naive."

As chairman of the Institute of Information Security Professionals, Dorey spoke of the "Elysian Fields of security" in which an organization's information can be kept secure with a closed network of managed nodes, servers with defined state and data owners, access to devices of known state and use, and users focused 100 percent on company work.

"Sorry, Elysian doesn't exist and in reality other things exist," he said. "If you think of the world outside the organization people have been putting corporate information on third-party sites like MySpace and Facebook. It's seen as a wider community and that's bad. So what do we do, we block it at the firewall, and is that sensible - no!"

Dorey conceded the corporate network is "basically porous" and cannot be relied upon to prevent the loss of IP; however, a number of measures can be implemented to minimize the problem.

"The loss of IP is very interesting as it doesn't require a security breach," he said. "If I send something to a contractor and I say give me back my IP, they might then say 'what is yours?'"

BP is concentrating on a number of possible solutions including the use of thin clients, compartmentalization, and digital rights management to help prevent information leakage.

"Hey, the mainframes have just appeared again with thin clients. It's the centralized data, or the 'data room' analogy, but can you guarantee thinness?"

Dorey referred to the open source Ulteo as an example of thin computing at BP.

Regarding compartmentalization, or shielding computer users from external influences, Dorey said it's "not really workable", but virtualization technology has the potential to make such a concept "more workable".

BP has started giving contractors a USB key so they can work on a virtual machine. Security is a concern, but BP has gone with a "smart USB" solution where some authentication is required.

Another method is DRM, where computer users "sign" a "digitally green e-mail" that indicates all information generated belongs to the organization. "You could lock up the green paper with some DRM, which may report its location and 'heartbeat' to indicate it is contextually aware of how it's being used," Dorey said, adding the technology to do this is not yet available.

Show Comments