Tuesday, 10 February 2009

10 Gb Ley Lines?

The day started early with a presentation from the CIO from the Ministry of Justice on "Aligning IT Strategy to the business needs of the organisation". What does the Ministry of Justice do, you might ask yourself (I did). Well it runs the prisons for one thing, and the courts and the probation service.... So, a bigish, fairly complex organisation with over 80,000 employees and 2,700 buildings. Interesting to hear his take on what makes an IT Strategy successful. His view was that the reason so many IT projects fail is that they are not well managed - the objectives and benefits are not identified at the beginning, they suffer from scope creep, and they are too big. Although the big picture is needed for the strategy, delivery needs to be in small chunks. A project that's going to take time to deliver will not work - both the technology and the needs will have changed before it is completed.

The rest of the day was spent in round table discussions on a variety of topics. Two of mine were on remote and flexible working, and on equipping the mobile worker. As it was a public sector forum and I found myself on tables with a large number of CIOs from Local Authorities, much of the discussion was about security. Most only permitted totally locked down laptops, usually encrypted, no access to work emails or files on home PCs, encryption software on mobile devices including Blackberries. Very little concept of web based services access through a portal - they nearly all rely on client based access to systems but some are starting to investigate thin clients. Almost without exception totally Microsoft based - I was even asked what IMAP was when I explained that's how I access email on my iPhone. Everything standard - you can't use what device you want, just what the IT department tells you you can. No concept of using social networking tools at all. Obviously some of these organisations are handling data much more sensitive than anything we have, the concept of IT being a facilitator not an inhibitor didn't exactly come across. Most totally encrypted laptops were unusable, and many people reported the use of encrypted memory sticks where the user had forgotten the password making the data inaccessible to anyone. There is obviously a balance between usability, security and risk which we all have to consider taking into account what data we are handling. I was quite impressed with the fingerprint recognition on the new Sony Laptops - shame it's not available more widely.

As I said yesterday, it's great to get out of the sector, and look at the way others work. Had a really funny discussion with the CIO of English Heritage about networking Stonehenge, and what the bandwidth of Ley Lines might be....


Anonymous said...

The current trend to throw technology at security problems concerns me.

Take the classic problem of the public servant leaving their laptop on a train. The laptop contains sensitive records, lets say personnel information. An equivalent information security breach 15 years ago would probably have been the loss of an entire filing cabinet (or more) on a train. It just wouldn't have happened.

Why didn't this happen 15 years ago? Obviously, the inconvenience of taking the personnel filing cabinet out of the office and onto a train is the largest factor. It wasn't feasible and therefore it didn't happen. I imagine the odd dossier or sensitive record got left on a train, but when that happened the loss was limited to whatever small amount of information was there.

The best way to keep this data secure is not to keep it in the first place. Is there a good reason to keep those records on a laptop? Can you work with just a small subset of the information? And when you do, then technologies like encryption come into play.

Nowadays, it's easy to take huge amounts of information and put it on a portable device. If it's encrypted, it's a bonus, but no encryption is totally secure. If it's not there at all, then no-one can gain access to it.

All of this has made me think of a scheme to dissuade the transfer of large quantities of sensitive information. Each byte of sensitive data should be assigned a weight, for example, 1mg per byte. For each byte of data you carry, you have to carry a mass of the same weight. 1KB of data = roughly 1g. 1MB of sensitive data = 1Kg, 1GB of sensitive data = 1000Kg. It would certainly encourage people to think about what personal data they carry around with them!

Graham Hill said...

Great post - reminder of how different we are even in the same perceived "sector"

Anonymous said...

This is truly amazing especially the sums, and fibernachi sequence.


Ceri Davies said...

The best way to stop people carrying data around is to remove their need to do so, which is trivial with a technology such as VMware View or, my personal favourite, Sun Secure Global Desktop.