The growing market of eBook readers has started to get my wallet itching. However being from “the land Down Under”, I am limited as to what I can buy directly. Or more importantly, what I can walk into a store and play with first before coughing up all the money and buying it online.
Even so, from a Enterprise perspective, which is what most of my e-reading would be for, I believe the most appropriate viewing format would be the full size A4 or 8″x11″ screen. As I would be viewing work related documents, I believe this size format would be better for reading PDF’s, Word documents etc etc. Along those lines, I like the look of the I-Rex models, but the price does hurt.
Wearing my corporate hat, one thing that does worry me if I were to allow the use of eBook readers by others in the Enterprise, is how the company information stored on the readers is protected. The readers suffer the same data leakage risks as other mobile storage media (which includes laptop hard drives and USB sticks). Therefore, some level of encryption is needed. The question is, what is the most appropriate type of encryption . Especially as encryption is a CPU intensive operation, I am sure the eBook vendors are scared off at the potential impact of the battery life drain when encryption is thrown in the mix.
Maybe in this case, where one of the main goals and benefits of eBook readers is to have extremely long battery life, is to look at file level encryption support. This way only those files that need to be protected are, while the rest (i.e. magazines, whitepapers, novels, manuals, technical books) are left unprotected.
And now we come to a common problem for the vendors and the Enterprise. How do we make the encryption process convenient enough that end users will make use of it. To that end, I think any such encryption should be designed to protect the majority of Enterprise information in an acceptable fashion, and leave the more sensitive information to utilise other solutions (i.e. full disk encryption on a laptop). When we talk about the majority of Enterprise information we are talking about classifications such as X-In-Confidence , where X can be Commercial, Security, HR, Legal or any other Enterprise body. To define it more clearly, I will make use of the definition from SRMBok (Security Risk Management Body of Knowledge) which is:
“Private, security or commercial information prepared with an expectation it may be shared with external parties with a legitimate need to know, subject to relevant restrictions.
If the information were released to the media or competitors organisation XYZ could expect: minimal damage to corporate interests, including reputation; minor potential for financial loss; minor embarrassment to the company or its business partners and minor detriment to employees or customers.”
A solution that may protect against material that falls into this category, while maintaining ease of use, would be to introduce the fingerprint technology that you see a numerous laptops these days to authorized the decryption processes. If the fingerprint technology were combined with well designed eBook synchronization software, the protection process may become easy enough that people wont avoid the “hassle” of having to encrypt sensitive information.
To protect sensitive information, the synchronization software needs to have a very simple way to encrypt data that is to be transferred. This may simply mean having a special “Protected” container for users to copy Enterprise information into. Given that encryption/decryption functions are CPU intensive, we don’t want to encrypt all files if there is no need. This should minimize the impact on battery usage/CPU to only when “Protected” files are decrypted and displayed.
A fingerprint scanner would be used to protect a random password key that is generation during the eBook reader initiation. Then “Protected” files can be encrypted as they are passed from the synchronization software to the eBook reader. If this method is followed, then the random key never needs to leave eBook reader. This suggests that a tamper resistant/TPM like chip might be important to protect the key from general access if the reader is lost. As long as the person using the eBook reader has their fingerprint authorized, they will be able to display the protected Enterprise material.
Another option for encryption is for the eBook reader to pass the key securely to the synchronization software. This would allow the PC to encrypt the files on its faster CPU first before passing them to the eBook reader. However, once the key is removed from the eBook reader, it opens another source where the key may be found by an attacker to be able to view the eBook readers contents. But lets be realistic, if someone is able to pull the encryption key from the computers eBook synchronization software, then they its very likely that the attacker already has access to all the information stored on the eBook reader anyway.
Of note, Hoff also recently wrote about the same need for a password on the Amazon Kindle2 for Enterprise use.