The principle behind the screensaver lock is that you build in a fail safe into your computer should you walk off leaving it unlocked (that is what we all do anyway, right?). The normal timing is somewhere between ten and fifteen minutes, and is more often than not enforced in organisations with an active directory policy or similar. In principle therefore, whenever your screensaver activates it requires a password to unlock the screen when you return.
It is worth noting that any mobile device such as a tablet or smartphone should also have this feature enabled, although it can also activated by switching the device off if required.
In the BYOS world of course this simply needs to be something you ensure is in place on your own computer, and the timing set to something that works for you – mine is fifteen minutes, and is harmonised into the energy saving and general computer power saving timings.
There are and will remain many objections to this kind of security control, but they can be boiled down into one of three:
1 – Presentations. I have heard on many occasions that the screensaver will kick in during a presentation, and I have some sympathy with this. I haven’t had it happen to me with a Mac (although I tend not to stay on one slide without any kind of mouse click or animation!). This can have two effects of course; either tell the audience that there are additional security controls employed by this company, or that the presenter is an amateur who can’t manage their computer during an important thing like this presentation.
This is challenging to fix – you can’t disable the lock for all who do presentations as that would expose a huge number of computers. And you can’t allow people to disable the lock themselves as it is very likely a large proportion will not reenable the lock.
The solution in my opinion is to allow by policy the disabling of the screensaver for a fixed period of time, say two hours before it gets automatically reenabled. I am not sure if this can be managed through standard AD policies or not, but it would certainly address this particular opposition.
2 – Servers and accounts. In many cases where people have sandbox environments or the like under their desks there are many requests to disable the screensaver because of batch files that run in the foreground. In every case I have observed to date this is simply because of sloppy or inexperienced implementation of the batch file. When the batch files or executables are converted to run as a service they can run very happily with the screensaver enabled.
Except in very rare circumstances this is not a reason to disable the screensaver lock.
3 – Finally there is the group of people who simply don’t like being told! This is where education, awareness and some good old fashioned face to face communication comes into its own!
Nonetheless, whatever the objection, anyone with an ounce of concern for security should consider this control on any device in a BYOD environment, and perhaps more importantly on any mobile device.
I wrote a pre-emptive review on Amazon some time ago for this book based upon an advance copy I was fortunate enough to receive. Since then there has been a revision of a number of chapters, and I have therefore had a chance to read the book again, including the revisions, and decided to post another more accurate review.
(Once I work out how to update my original post on Amazon I will do so).
As one reviewer on Amazon wrote, the book is like a series of disjointed blog articles. To my mind this is both a strength and possible weakness. The weakness being just what it says; sometimes the different writing styles and approaches, as well as the chapter changes can be a little jarring as you mentally shift gears from one chapter to another.
That said, I have long realised that books like this, written for large complex subjects, are not exactly meant to be read as novels! And this is where this books strength comes out. The contributing authors (at least the ones I recognise) are well respected experts in their fields and can therefore provide best of breed advice and guidance on their relevant areas.
The ability to either dip in and out at random and learn something, or even to search for a particular topic that you need advice on is the books greatest strength. Want to know how ISO27001 can help you? Chapter/Rule 9. Is free really free in the cloud? Chapter/Rule 25. How about the effective approaches to risk management? Chapter/Rule 6.
This book is not the definitive piece on technology and security in the cloud (does that book even exist?), but it is an effective and simple approach to a large and complex subject that in many cases will stop many traditional IT and security manager in their tracks. It may not even answer all of your questions, but it will definitely ensure you know what questions to ask, and that in itself is the most important lesson.
Score: 4 out of 5