article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis

The search for secure data

May 7, 2007
Embedded Intelligence columnist Jeremy Pollard, CET, is not declaring that encryption isn’t safe, but it’s only software, so how much can an insider make by selling the algorithms to the competition?
In January, a major Canadian hospital “lost” a laptop that contained the names of more than 1,500 kids and their personal medical information. The information isn’t dangerous, but it sure is private. You shouldn’t be compromised in any way just because someone stole a laptop out of a doctor’s car.

This loss was made public in late February, just as we were in the middle of a cold snap. There’s nothing like a scandal to warm things up.

The Canadian Privacy Office issued a statement mandating that no data will be removed from any hospital without being encrypted first.

Can you hear the IT boys scrambling? Was the laptop “hospital issue?” Was the doctor even aware of the security risk he ran when he left the laptop out in the cold? That information is not clear, but it is clear that everyone was scrambling to cover their behinds.

What’s the real deal here? It’s not the fact that someone  might know that Johnny needs four shots of insulin a day and has contracted a mild case of pneumonia. What’s at stake is the data: “It’s mine.”

The fallout from this has been, to me, weird. Public companies such as Absolute Software are benefiting from the FUD (fear, uncertainty and doubt) factor. This company provides a software service that can delete all software from a stolen computer/hard drive. That’s good. However, if the data is encrypted, you don’t need them, right?

In addition, it seemed like they could put GPS-like tracking software on a stolen computer as well, so the authorities could apprehend the culprit and recover the data. It’s not GPS software, but I’ve had three people tell me it is because they can find and recover your computer.

I went to the Absolute website, and now I get it. Make sure that the information is scarce, and the FUD is high. That’ll do it.

Another company from Germany announced at CeBIT in March that they’ll be providing encrypted data on a USB key device. It claims that, without your password, the data is safe.

I’m not declaring that encryption isn’t safe, but it’s only software. I wonder how much dough an insider could make by selling the algorithms to the competition? But wait—data would have to leave the office then. Couldn’t happen?

Absolute Software says most laptops that are stolen are quickly connected to the Internet. In fact, they say, the stolen computer must be online within 60 days for Absolute to be able to track, locate, or delete your sensitive data. Would you pay for this?

Now, if I stole a laptop for its contents, the last thing I would do was connect it to the Internet. The hard drive would be out and set up as a data drive faster than you could say “Jack Robinson.”

The data on a machine builder’s portable devices isn’t any less important than a child’s medical history, and it has a unique property. It’s your intellectual property. This is your business.

Teknion, an office furniture builder, used to e-mail engineering drawings to India so the staff there could work on  source drawings. Now they use Route1’s MobiKey, which allows the Indian engineers to work on the source drawings, but the data stays behind the firewall in Canada—file transfer is not allowed.
No as-built drawings, no IP loss. Printing is controlled as well.

Data does not need to leave the office. Your intellectual property can be safe, and your business can be safe.

As a machine builder, you probably provide intellectual property to some, or maybe all, of your customers in the form of PLC programs, CNC profiles, motion profiles, mechanical as-built drawings.

If my memory serves me well, I’m pretty sure that Allen-Bradley first put CARs (custom application routines) into PLCs, so OEMs could create custom software to protect their IP. I always thought it was a cash grab because you had to buy the software development kit. But now—when data has to leave the office—it makes more sense.

Custom motion curves embedded in controllers would protect a machine builder’s research to some extent.

When the data doesn’t absolutely have to leave your control, you leave the data where it is. When data absolutely has to leave, then you protect it. As with all other activities, don’t react; instead, plan and implement.

  About the Author
Jeremy Pollard, CET, has been writing about technology and software issues for many years. Publisher of The Software User Online, he has been involved in control system programming and training for more than 20 years. He’ll be pleased to hear from you, so e-mail him at[email protected].