The government sent the security industry into gales of laughter today when it insisted that sensitive documents on Hazel Blears’ missing PC are quite safe, as the machine is “password protected”. The gov’s soothing words came amid speculation on what formal action, if any, communities and local government secretary Blears will …
Reports seem to indicate that the documents in question were emailed to the minister. If the email system was Outlook and using an OST, then the data is inaccessible without the correct user authentication details (as anyone who has tried to recover data from an OST knows). An Outlook PST is not secure - nor is any other email local store.
The real problem is that there is no complete bottom up approach to security. For a secure system, documents (of any type) must be stored in a management system that enforces classification, and any access must conform to that appropriate classification. Media transfers must also conform (to disk or printer), and so must any other process such as email.
Of course, there is actually no such system that integrates classification for applications, user devices and server solutions, and there will not be while the Govt insists on buying COTs solutions. And the only way such a solution could be integrated would be via the Open Source community, where the ability to see and modify everything at the source code level for a customised solution beats the non-free world where you would have to get several hundred vendors to co-operate.
And that does not stop someone walking out of Whitehall with a printed copy of a secret document and leaving it on the train - when will printer paper with embedded RFID tags be available so they can be stopped at the door?