IT managers see portable storage device security risk

Computerworld - Lenny Goodman, an IS director at Baptist Memorial Health Care Corp. in Memphis, said his company recently found itself dealing with a proliferation of user-owned plug-and-play USB port drives that posed a security risk to sensitive patient data.

“The new paradigm is that it was hard to copy much data to a floppy disk, and we did not allow CD writers. Suddenly, though, comes the USB flash drive with enormous capacity, zero installation, etc. Very handy, very risky—risky both as a way for data to leave, and a way for malware to arrive,” Goodman said. “We had to do something.”

The result: Baptist Memorial created strict policies around the use of flash memory sticks, iPods and other portable storage devices by standardizing on USB memory sticks that have native encryption and password protection. “HIPAA mandates that all health care organizations develop a methodology to account for all removable media,” Goodman said.

But with more than 42 million of Apple Computer Inc.’s iPods sold so far in the U.S. alone, the threat of data theft or loss from downloading information on a USB-port device is growing exponentially, according to analysts.

“An iPod is just storage at the end of a wire,” said John Webster, a senior analyst and founder of Data Mobility Group in Nashua, N.H. “You already see people running around with iPods, using them as backup devices. USB storage devices are a potential source of data leakage.”

In reaction to IT managers’ concerns about data loss threats, IT vendors are offering security for flash memory devices.

Kingston's USB flash drive

Kingston Technology Company Inc. this week introduced a USB flash drive that secures data using password protection and 128-bit hardware-based AES encryption.

Offering up to 4GB of secure storage, Kingston’s DTE Privacy Edition device is designed to meet enterprise-level security and compliance requirements. The drive has a mechanism that locks out potential users after 25 consecutive failed password attempts.

Last month, SanDisk Corp. in Sunnyvale, Calif., announced that it will bolster security in its line of USB flash drives and mobile cards using TrustedFlash technology. TrustedFlash combines SanDisk’s 32-bit controller architecture with an embedded cryptographic engine to provide real-time encryption.

Eric Ouellet, vice president of research for security at Gartner Inc. in Stamford, Conn., said that only about 10% of enterprises have any policies dealing with removable storage devices.

“It’s actually a fairly big problem,” Ouellet said. “You’ve got so much space on these things now. You can go for an iPod or MP3 player and you’ve got 60GB or more on them. You can put a small database on them. It’s just a matter of time before we hear about someone losing data because of this.”