Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Data Management
Storage
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

IT managers see portable storage device security risk

How much damage can an iPod or memory stick do? Plenty, say analysts
 

Sign up to receive Security Resource Alerts

March 17, 2006 (Computerworld) -- Lenny Goodman, an IS director at Baptist Memorial Health Care Corp. in Memphis, said his company recently found itself dealing with a proliferation of user-owned plug-and-play USB port drives that posed a security risk to sensitive patient data.

“The new paradigm is that it was hard to copy much data to a floppy disk, and we did not allow CD writers. Suddenly, though, comes the USB flash drive with enormous capacity, zero installation, etc. Very handy, very risky—risky both as a way for data to leave, and a way for malware to arrive,” Goodman said. “We had to do something.”

The result: Baptist Memorial created strict policies around the use of flash memory sticks, iPods and other portable storage devices by standardizing on USB memory sticks that have native encryption and password protection. “HIPAA mandates that all health care organizations develop a methodology to account for all removable media,” Goodman said.

But with more than 42 million of Apple Computer Inc.’s iPods sold so far in the U.S. alone, the threat of data theft or loss from downloading information on a USB-port device is growing exponentially, according to analysts.

“An iPod is just storage at the end of a wire,” said John Webster, a senior analyst and founder of Data Mobility Group in Nashua, N.H. “You already see people running around with iPods, using them as backup devices. USB storage devices are a potential source of data leakage.”

In reaction to IT managers’ concerns about data loss threats, IT vendors are offering security for flash memory devices.

Kingston's USB flash drive
Kingston's USB flash drive

Kingston Technology Company Inc. this week introduced a USB flash drive that secures data using password protection and 128-bit hardware-based AES encryption.

Offering up to 4GB of secure storage, Kingston’s DTE Privacy Edition device is designed to meet enterprise-level security and compliance requirements. The drive has a mechanism that locks out potential users after 25 consecutive failed password attempts.

Last month, SanDisk Corp. in Sunnyvale, Calif., announced that it will bolster security in its line of USB flash drives and mobile cards using TrustedFlash technology. TrustedFlash combines SanDisk’s 32-bit controller architecture with an embedded cryptographic engine to provide real-time encryption.

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

“It’s actually a fairly big problem,” Ouellet said. “You’ve got so much space on these things now. You can go for an iPod or MP3 player and you’ve got 60GB or more on them. You can put a small database on them. It’s just a matter of time before we hear about someone losing data because of this.”

He suggests that companies consider flash drive monitoring software on PCs and laptops from companies such as Pointsec Mobile Technologies, Inc. in Stockholm and Utimaco Safeware Inc. in Foxboro, Mass., which can lock out USB drives or require that they to have encryption and password protection to work.

For a free but unsophisticated solution, Ouellet said companies can use the native lockout capabilities in the Windows platform.

Vimal Vaidya, CEO of Freemont, Calif.-based Red Cannon Security Inc., said he began beta-testing Kingston’s encrypted drive about nine months ago. His company now owns hundreds of them and resells them with its own encryption and password protection, as well as with device monitoring and reporting software.

“You can track users of USB-port devices and monitor what gets copied onto a device and what’s taken off the device. You can also set policies on how device should be used,” Vaidya said.

Kingston said it is targeting the enterprise and the B2B market with its memory stick. The company’s product road map includes bundling the USB device with software that enables IT staffers to set role-based security access to ports, meaning the device can be set to be read-only for some users. Another software offering planned by Kingston will manage the flow of data to a USB drive and create an audit trail.

Baptist Memorial, which currently uses the 1GB version of Kingston’s USB drive, is a $1 billion corporation with 20 hospitals and a network of outpatient and ambulatory surgery facilities, clinics, and other health care facilities.

Goodman said that besides the security risk, his company is trying to curb inappropriate use of corporate resources, so it also deployed a USB port monitoring and policy enforcement application from Philadelphia-based Safend Inc.

“We feel we are ahead of our industry in general in recognizing the extreme exposure of ultra-small, ultra-capacity plug-and-play USB devices,” Goodman said.

Apple officials were asked about whether they have plans to bolster security on iPod products, but declined to comment.;

Baptist Memorial Health Care Corp., in Memphis, took a four-pronged approach to securing data that could be leaked through portable devices:

1. Conduct executive and administrative awareness programs and develop an administrative policy that was enforceable.


2. Audit the IT environment and find all attached devices (USB, serial, Fire Wire, wireless and infrared).


3. Implement port control technology and turn off specific devices that did not have a legitimate business justification and approval.


4. Provide a corporate standard device for approved data transport purposes.




Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
"It's IT Blogwatch: in which Sun finally releases OpenSolaris, but with a surprising, cloud-computing twist, courtesy of Amazon EC2. Not..." Read more...
"Randall Craig stole sensetive data on more than 17,000 U.S. Marines and military employees with the explicit purpose of selling..." Read more...
Read more Storage posts or See all Blogs
Microsoft to limit capabilities of cheap laptops
FBI worried as DoD sold counterfeit networking gear
Update: Microsoft to appeal $1.3B EU fine
More top stories...
XP SP3 cripples some PCs with endless reboots
Windows Vista more secure than XP, says security company
Microsoft grows DAISY for blind computer users while Adobe wilts
Ubuntu 8.04 is a popular Linux distribution that offers some updated features along with its usual easy-to-use interface and solid support.
Forget "Format c:" or any of those silly software programs that promise to remove data from hard drives. Get physical — really physical.
Was it the receptionist, the salesman or the building manager? Here's how to find and stop the leaks.
Now you can get cell phones customized with services specific to your religion. Columnist Mike Elgan picks the three best devices.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone

Ads by TechWords

See your link here
Critical Considerations for Data De-duplication
Critical Considerations for Data De-duplication
Register for this live webcast, airing May 22nd at 2pm ET!
Go to the webcast 
Computerworld Technology Briefing: Automation + Virtualization = Datacenter Optimization
Download this Technology Briefing now!
(Source: CA) Apart from its merits, virtualization can introduce new levels of complexity into the datacenter. The complexity can impede the freeing up of valuable human resources to work on more strategic projects. What are needed are tools and solutions to help IT optimize resources while ensuring performance, availability, and business continuity.
Download this executive briefing download
The Missing Piece of Virtualization
Get this white paper now!
(Source: Neterion) Server virtualization saves money and increases flexibility.? But it faces some real limits.? Currently, I/O-intensive applications like databases or ERP systems are often excluded from virtualization, due to bottlenecks that are introduced by extra layers of software.

I/O virtualization changes the game.? With new industry-standard technologies and 10 Gigabit Ethernet, hardware-based IOV eliminates these bottlenecks, enabling higher numbers of VMs and applications per virtualized system. To uncover new cost saving opportunities, read this new whitepaper and find the missing piece of virtualization.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability
New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows
Symantec State of the Data Center Report 2007
View more whitepapers