7

Background:

The company I will be working for as a consultant has developed IP which could potentially be worth billions. The confidentiality clause in the contract has penalties for breaching the clause which are essentially open ended, a six figure penalty plus loss of earnings, loss of future business etc...

The confidential data will be stored securely in their offices, with secure remote access (I don't yet know how this will be achieved). I will be working both in their offices, in my home office, and on the road, visiting clients worldwide.

Questions:

Obviously, I want to avoid any potential loss of sensitive data, and while I can insure against losses up to a certain amount, given the open ended nature of the penalty clause, any serious breach could bankrupt me. My first question relates to how I deal with this confidential data, opened and cached on my laptop, to avoid any likelihood of it being inadvertently retained on my system in an unsecured state.

Secondly, I will need to secure my laptop against any potential attack which would provide access to this confidential information while I was working with it. What would be the best way to secure my laptop, my home working environment, and to protect against an attack while on the road?

  • 8
    Are *you* doing this, or is your *company* doing this? If you are doing this as a private individual, you really need to look into incorporation. Doing business as a corporate entity means that there is a wall between the company's assets, and your assets. You use a lot of words in your above post that make me think you are doing this as an individual. – MToecker Feb 17 '12 at 14:34
  • As MToecker says. Forming a LLC captures risk and contains it in the corporation. You should use this to keep the risk from bleeding out into other assets. – Bradley Kreider Mar 15 '12 at 03:19

10 Answers10

8

If the potential compromise of the data can truly cause damages in the billions, then in my opinion you need to seriously question the advisability of taking this data "on the road, visiting clients worldwide."

Is there some business reason why this client requires you to take this data all over the world? If not, then don't do it.

You do understand that every time you go through customs you may be required to turn your laptop over to a customs agent for inspection don't you? Has your client agreed in writing that it is OK for you to give access to third parties?

Why are you taking this data to other clients? If this is not something your client requires, don't do it.

If you were doing work for the federal government, they would not permit access to their controlled data in anything other than a controlled environment. In fact you could end up in jail if you took certain types of data off premises and particularly out of the country.

Come to think of it, why is this data on your laptop at all? Could you not do your job by having it on a thumb drive or external hard disk that you kept locked in a safe in your home?

JonnyBoats
  • 1,143
  • 7
  • 8
  • 2
    You make a really good point. The federal government would not allow controlled data on ANY device that was not approved. It certainly would NOT be taken "on the road" unless there was a "mission" critical reason for doing so. If it was taken on the road the storage device would be in encrypted using BitLocker. – Ramhound Feb 17 '12 at 13:38
7

First impression. Eek! Your requirements are incompatible. If this is really a billion-dollar secret, you need to change the way you're handle the sensitive information.

Summary. The best protection is a combination of technical/process and contractual/legal protections. I elaborate on each, below.

Legal/contractual protections. Your contract should specify liability. I recommend that the contract specify a security plan, and state that you are not liable for breaches as long as you have followed the security plan in good faith -- except in case of gross negligence or deliberate violation. (Note: you want it to say "gross negligence", not "negligence".) Then you need to agree with your client on the security plan. One easy way to reach agreement is to ask them to draft the security plan.

I recommend you hire a lawyer to represent you in the contract negotiations. Also, the contract should be priced accordingly, to reflect the risk.

You might to get professional liability insurance. Insurance companies will sell this to private consultants. You might want to consider incorporating, as well.

Technical/process protections. If the secret is really as valuable as you state, I think you need a fundamental change in mindset. As many others have stated, if this is a billion-dollar secret, you should not be working on it from the road. But I'll go farther. If this is a billion-dollar secret, you should not be working on it from any Internet-connected machine.

Here are the basics of protections that I think are appropriate:

  • Airgaps. You should never store the critical secrets on any machine is connected to the Internet, or ever has been connected to the Internet.

  • Red/black separation. You should use strict red/black separation. Any machine that will hold the confidential material is designated red. Other machines are designated black. The Internet is black. The critical rule is: red and black should never meet; their should be strict air gap separation between red and black.

    I recommend that you get some red labels and attach a red label prominently to every red machine. Then, attach a red label to every device, network cable, or machine that is connected to a red device, and continue propagating red-ness. Make sure that no red device is ever connected to the Internet or to any non-red (e.g., black) device. This will let you build a mini-local network for processing confidential data, if you wish, while ensuring that the confidential data stays confined.

  • Media protection. You'll need to handle writeable media (e.g., flash drives, CD/DVD discs) carefully, because they can violate the airgap. I recommend that you adopt a strict policy for writeable media. There may be cases where you need to transfer data/files from the untrusted Internet (or other black devices) to trusted red machines. Those transfers should occur using write-once media, like CD-R or DVD-R or DVD+R discs. Avoid re-writeable media. Also, you should only allow those transfers to happen in one direction: black to red (never red to black).

    After media is used, you should immediately shred it or destroy it. There are shredders that can securely destroy CDs.

  • Secure erase. Before you begin the project, for each machine that will become red, disconnect it from the network and don't ever connect it to the Internet until I say so. After disconnecting, do a secure erase of its hard drive and re-install the operating system from a trusted source to ensure it is free of malware, before loading any confidential information on it. At the end of the project, do a secure erase of all red machines. Only after that is completed may you re-connect it to the Internet.

  • Shredders. If you have any confidential documents, make sure you shred them after use.

  • Physical security. All red machines and devices should be located in a physically secure location, and should never be removed from that location. I recommend a location with no windows (if you have windows, close the blinds). No one other than authorized individuals should have access. I recommend installing a burglar alarm system, to detect and deter intrusions. I also recommend that you install a good safe (if you want to be especially careful, getting a GSA-rated safe is a reasonable path).

  • Clean-desk policy. Never leave sensitive materials out unattended. Whenever you leave the location, it is the responsibility of the last one out to log out from all machines, turn off all machines, put all documents, media, etc. into the safe, lock the safe, and activate the burglar alarm. Even if you're just stepping out for a 10-minute smoke break, still follow the protocol.

    I also recommend that you buy an external hard drive for each machine, and store all confidential material only on the external hard drive. Then, when you leave the facility unattended, you can turn off each machine, disconnect the external hard drive, and lock it in the safe.

  • Full disk encryption. Use full disk encryption to encrypt all disks / storage devices on red machines. When you leave the location, unmount the disks (so the passphrase will be required to access the data again in the future).

  • Communication security. Team members should avoid discussing the confidential material outside of the physical location (e.g., when in public). Avoid discussing the confidential material via unencrypted email (not even in a "coded" fashion).

  • Document compliance. The security plan should be in writing and provided to each team member. Each team member should sign a statement that they agree to abide by the security plan.

I realize this might sound like a pain, and a lot to deal with. This is probably excessive for information that is worth hundreds of thousands of dollars. However, if the material is worth as much as you suggests, then I think you have to bite the bullet and accept the nuisance, to protect the information.

D.W.
  • 98,860
  • 33
  • 271
  • 588
6

Taking the first part of your question, as securing your home environment is covered pretty well here :

Physically securing your laptop

  • use full disk encryption so that if your laptop is stolen, the data is effectively unrecoverable
  • always shutdown the laptop when you are leaving it (never use suspend)
  • implement a strong firewall and VPN software package with restrictive rules to prevent access to everything besides that which you need for the contract
  • use a Kensington lock or safe to store your laptop in when you are sleeping or away from your laptop
  • consider a strong box in your car
  • use a laptop screen guard to prevent attackers seeing data on the screen
  • in case the worst happens, make sure you install tracker and remote-wipe software on the laptop

Consider asking the client to provide you with a laptop to their secure build rather than you provide your own - this can help from a liability perspective as you can ask them to state that it meets their security policy guidelines. If they can't do that, ask if they will audit and approve the applications and configuration on your laptop.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
5

Do not forget the obvious: negotiate the contract and do not accept open ended penalties.

Jeff
  • 3,609
  • 4
  • 19
  • 23
4

Regardless of whether you'll be using the company assets or BYOD, you'll probably be required to comply with its security policies, standards and procedures which i am pretty sure cover how the company itself and its partners handle such confidential materials! extra precautions to take when you travel can be found here

2

The confidential data will be stored securely in their offices, with secure remote access (I don't yet know how this will be achieved). I will be working both in their offices, in my home office, and on the road, visiting clients worldwide.

There are several solutions to this problem:

1) DO NOT TRAVEL with the data in question. Unless these clients are connected to the business deal, you have no reason to bring the data in question with you on the road, so avoid a situation that might result in data theft.

2) Encrypt any device with said data. If the device does not support encrypting all storage devices connected to it, the data should not be placed on it, have a no exception policy.

3) Figure out how the remote access is going to work. This sounds like an unexceptable risk. You can overnight encrypted media based on a public/private key generated ahead of time.

4) Encrypt all data!

My first question relates to how I deal with this confidential data, opened and cached on my laptop, to avoid any likelihood of it being inadvertently retained on my system in an unsecured state.

Do not store this data on your laptop. Use an external media based storage ( i.e. CD, DVD, Flash Drive ). I would store the private key to said data, on a hidden TrueCrypt storage drive, and make sure the two passphrases were different, more seperation the better.

Secondly, I will need to secure my laptop against any potential attack which would provide access to this confidential information while I was working with it. What would be the best way to secure my laptop, my home working environment, and to protect against an attack while on the road?

Do not travel with the data. Place storage devices, laptop for this business deal, in a locked safe when you travel.

If you are on the hook for millions of dollars if this information gets out, then you are being paid enough, to take the steps to make sure it not only is "not possible" for anyone but you to acess the data but to purchase the equipment required to do so.

Like I said the simply solution is DO NOT TRAVEL with said data.

Ramhound
  • 496
  • 4
  • 9
  • As I mentioned, the data will be stored securely at the client's site, I will never be travelling with the data in my possession, but accessing it securely via VPN. What I need is to be able to access the data remotely, without any trace of the data being left on my device(s). – MostlyHarmless Feb 17 '12 at 13:52
  • 3
    @MostlyHarmless In that case I'd use some sort of live CD, or readonly filesystem. – CodesInChaos Feb 17 '12 at 15:02
  • @MostlyHarmless - You never explained that. You just said I am going to work from a remote location. This is the reason everyone thought you were going to travel with it. The real simple solution to this problem is use tools like Citrix to remote desktop into said computer. If you use a remote desktop solution you never have the files on your computer. Of course keeping your creds safe is a problem you will face, which is the reason, you need to think to know HOW it will work before asking more questions here. – Ramhound Feb 22 '12 at 16:02
1

Most Important Point: Full Hard Drive Encryption on any personal device that processes and/or stores confidential data.

magian
  • 11
  • 1
1

In addition to what has been said about live CD/DVD/flash and physical security of the notebook I would suggest discussing some kind of remote app server with the IP owner. My company uses solutions from Citrix, and there are other vendors of this kind of SW. This can help in "not having documents on your notebook" and in case of border control, e.g.

With regard to the contract itself I can say that in my NDA, e.g. it is clearly stated what is meant by due care with respect to sensitive information. And of course, it is always good from legal point of view to have company-provided and company-managed notebook and SW installed on it.

Yaris
  • 81
  • 2
1

A billion dollar asset sounds like an asset worth enough money to steal using a physical operation. You are more likely to be targeted rather than randomly selected. For a billion dollars plenty of people would just threaten your life or your family's lives.

Besides, you need to incorporate and insure yourself against risk. I'm sure that taking on this much risk means you are getting massive rewards.

Bradley Kreider
  • 6,182
  • 2
  • 24
  • 36
1

Whoa, first are you an individual attempting to start contracting for the company? Secondly, billions with a b? I contracted for Xilinx and LM and the assets were millions but they never put my assets in jeopardy within the contract because that is entirely unrealistic. You travel outside of the country one time, and you are a target for kidnapping, etc. Thirdly, the strength of the protection required to cover the asset is impractical. Even if lesser amounts were at stake, the company is trying to saddle you with responsibility beyond what anyone can realistically expect to recover from in the event if a security breach.
Fourthly, is this a government contract? If so, I have plenty of legal boilerplate to protect you from suits, etc. if you need it. Hope that helps, iceberg