Local Encryption Scenarios
-
One of the topics that always seems to get a lot of discussion here is local encryption.
Some people, such as @scottalanmiller typically (emphasis on typically) advise against it. While others say to do it all the time. Still others say, it's mostly harmless, and can protect you, so why NOT do it if it's as simple as entering a password? I asked a few their feelings yesterday, and as expected got a spectrum of answers.
I was thinking, giving specific examples might get people chatting about what they would do in a particular scenario, and lead to a consensus. Of course, each example can have all sorts of hidden gotchas, but I think it's safe to make some general assumptions here.
So, here is example number 1:
You get a call from a CPA. They just moved into a shady area of town, and are concerned about their data in case their PC gets stolen. They must use a local PC, because that is the only way their CPA software will run. Just the one CPA, one computer. What would you do in that scenario? And if you choose to encrypt, what would you use?
-
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
-
@BRRABill said in Local Encryption Scenarios:
Just the one CPA, one computer. What would you do in that scenario? And if you choose to encrypt, what would you use?
In this contrived situation, I would recommend encryption.
In the real world, I would confront the false statement, prove it wrong, and at the very least show a viable server-based non-local option that might make a lot more sense so that they are more functional, safer, and better protected.
-
I would ask why not virtualize this CPA software running PC and have staff rdp into it. That way nothing would be stored on it. And the data in the VM and hypervisor could be backed up and encrypted.
-
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
-
@DustinB3403 said in Local Encryption Scenarios:
I would ask why not virtualize this CPA software running PC and have staff rdp into it. That way nothing would be stored on it. And the data in the VM and hypervisor could be backed up and encrypted.
The way that nearly all CPA software works already. That's the official remote access method for QuickBooks already. And works for essentially everything. Maybe literally everything. Plus web remote for a few, like Xero and QB Online. And most offer other remote options as well.
-
And once the workload is virtual, you could still use something like Bitlocker (assuming windows) or VeraCrypt (assuming anything) to encrypt the VHD pre-boot.
At boot time, the admin or user enters the password to decrypt the disk and the system starts. They use the software like on their own system but over RDP.
-
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
-
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
-
@scottalanmiller said in Local Encryption Scenarios:
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
Encrypted drives doesn't make a complicated backups, you just encrypt the backups as well. It is seamless for the operating system as it is already boot into it and then it is backed up.
-
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
Yeah, but not everyone wants to pay for it (Be it extra device, server, cloud service and so forth). I think that is the biggest issue when dealing with things like these.
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
Encrypted drives doesn't make a complicated backups, you just encrypt the backups as well. It is seamless for the operating system as it is already boot into it and then it is backed up.
No, but a situation that makes you need to encrypt local drives does.
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
Yeah, but not everyone wants to pay for it (Be it extra device, server, cloud service and so forth). I think that is the biggest issue when dealing with things like these.
Paying to do security properly is part of being a CPA. If encryption is an excuse to not do things securely, that's a huge reason to not recommend it. It's a crutch and makes people think that actual security isn't needed.
-
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
Encrypted drives doesn't make a complicated backups, you just encrypt the backups as well. It is seamless for the operating system as it is already boot into it and then it is backed up.
No, but a situation that makes you need to encrypt local drives does.
Mmm, is that how that works for any of your HIPAA or Financial Sector customers?
-
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
Yeah, but not everyone wants to pay for it (Be it extra device, server, cloud service and so forth). I think that is the biggest issue when dealing with things like these.
Paying to do security properly is part of being a CPA. If encryption is an excuse to not do things securely, that's a huge reason to not recommend it. It's a crutch and makes people think that actual security isn't needed.
Encryption is only physical security for sure.
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
Encrypted drives doesn't make a complicated backups, you just encrypt the backups as well. It is seamless for the operating system as it is already boot into it and then it is backed up.
No, but a situation that makes you need to encrypt local drives does.
Mmm, is that how that works for any of your HIPAA or Financial Sector customers?
Correct. None of them have these kinds of issues because they do security well, rather than pretending to do security by using local encryption. There is a reason why the most secure environments don't need local encryption, CPAs certainly should not need it.
-
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@BRRABill said in Local Encryption Scenarios:
They must use a local PC, because that is the only way their CPA software will run.
There is no such software, this is a false situation. This is a hypothetical that will never apply in the real world. So sure, we might get a contrived answer in this scenario, but it won't be useful.
How is this a false situation?
There is no such software. You can't actually make software that has to run on a laptop to work (you COULD make a license like that, but no one has.)
It's false, because this situation can't exist in the real world today. Anyone making it happen would be doing so purely for the purpose of making an example like this come true. It has no technical or market value.
I understand, as a software based yes it is not dictated by which computer it is installed unless is a software with a USB Dongle or something like that.
Even that, rarely would a dongle cause an issue either. You can still access the machine that has the dongle in it remotely.
Yeah, but not everyone wants to pay for it (Be it extra device, server, cloud service and so forth). I think that is the biggest issue when dealing with things like these.
Paying to do security properly is part of being a CPA. If encryption is an excuse to not do things securely, that's a huge reason to not recommend it. It's a crutch and makes people think that actual security isn't needed.
Encryption is only physical security for sure.
And only partial physical security. Stealing an unlocked laptop is probably more likely than stealing a locked one. If it is less likely, it is not a lot less likely.
-
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
@dbeato said in Local Encryption Scenarios:
@scottalanmiller said in Local Encryption Scenarios:
In the contrived scenario, how will backups be handled? The intense "need" for encryption makes for a more complicated backup situation as the backups must be kept very secure, but also be very accessible.
Encrypted drives doesn't make a complicated backups, you just encrypt the backups as well. It is seamless for the operating system as it is already boot into it and then it is backed up.
No, but a situation that makes you need to encrypt local drives does.
Mmm, is that how that works for any of your HIPAA or Financial Sector customers?
Correct. None of them have these kinds of issues because they do security well, rather than pretending to do security by using local encryption. There is a reason why the most secure environments don't need local encryption, CPAs certainly should not need it.
Okay, I mean so you are saying BoFA for example does not need to require Local Encryption even though they do?
