PGP Blogs

Last week, I wrote about how important it was to have a comprehensive understanding of both front- and back-office threat models when you design security systems. This week, we have a classic example of what happens when you build a point security product without a broad understanding of the environment into which it will be deployed.

Two weeks ago, Microsoft launched a free Windows add-in called “Private Folders”. This little tool works pretty much like you’d expect. It allows a user to create a directory within the Windows file structure that is password-protected. Microsoft stated when it posted Private Folders that, “ Private Folder 1.0 is a useful tool...to protect your private data when friends, colleagues, kids or other people share your PC or account.”

The problem, of course, is that Private Folders could be used by any individual user on a corporate desktop or laptop system. Microsoft made no provision for a corporate IT organization to manage the use of Private Folders or any way for them to access the information without the cooperation of the end user. Now although we’d all like to believe that such a feature would never be used in an illegal or unethical fashion, today’s CIOs and CSOs are paid to ensure that such use is not just unlikely but impossible.

Think about it from the CSO’s perspective. Private Folders could allow an employee to place confidential customer, client, or patient data on a laptop in such a way that it not only wasn’t apparent, but also wasn’t recoverable. How Microsoft overlooked this portion of the threat model, we’ll never know, but it took its customers very little time to point that oversight out. In less than a week, Microsoft had received enough calls from its major corporate accounts to realize it had blundered. So, last Friday, the company bowed to considerable customer pressure and took Private Folders out of circulation

It is precisely these manageability and recoverability issues that we address with PGP Universal™ and our patented Additional Decryption Key (ADK) functionality. PGP Universal empowers corporate IT departments to centrally deploy and manage very specific configurations of PGP® Desktop 9.0 to specific, known users. For enterprises that must have a comprehensive data recovery program in place, this approach allows PGP Desktop 9.0 to be deployed in such a way that all encrypted data is also encrypted to a second key held by the IT or Legal department. By utilizing the ADK, corporate IT can always access PGP-encrypted data when required to do so by legal authorities or for legitimate business purposes. It’s an example of how you design a security system when you truly understand all aspects of the threat model.

I’m not (really, I’m not) trying to take a cheap shot at Microsoft on this issue. What I am trying to do is to point out how much trouble you can get into if you don’t thoroughly analyze the threat model from many different perspectives: the end user’s, IT’s, Security’s, Legal’s, and so on. Each of these organizations is a stakeholder in the overall information security equation and each of their needs must be understood before a new solution is deployed.

- Phil