[OpenAFS] Purging the client cache

Russ Allbery rra@stanford.edu
Sat, 09 Jan 2010 16:21:05 -0800

"Christopher D. Clausen" <cclausen@acm.org> writes:

> If it were me, I would NOT allow such data to go to end-user systems
> (and thus avoid having it cached there.)  I would setup a few servers
> within a secure data center and require all work to be done via remote
> access to these systems (using RDP, SSH, FreeNX, etc.)

This is not a situation where we have no such data at present and can set
the requirements for how clients access it.  The clients are already
manipulating this data on laptops with no disk encryption and using public
file shares.  The goal is to get something better than what they have now
that they'll actually use.  A requirement that they only do work remotely
with RDP will just be ignored, resulting in the current situation
continuing without improvement.

Security and usability is always a tradeoff.

> And correct me if I'm wrong here, but wouldn't you also want to wipe the
> client's system pagefile or swap area after VPN disconnect as some data
> could be cached when swapped to disk?

It all depends on what threat model that you're trying to defend against.
Right now, the goal is to get unencrypted files with obvious,
easily-accessible private information off of people's laptops.  One step
at a time.  Scraping data out of system page files requires an attacker
with actual tools and some understanding of how the operating system
works; it would be nice to defend against such people as well, but they're
considerably rarer and, in that case, you're generally looking at a
targeted attack.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>