Portable Devices Pose Growing IT Security Threat

Computerworld - Fabiana Gower considered some unconventional methods to prevent data losses when portable storage devices began appearing in her companys IT environment about three years ago.

I stopped just short of Super Glue, said Gower, vice president of information systems at Martin, Fletcher, an Irving, Texas-based medical staffing firm.

I wasnt able to find a way to lock USB ports so that they are inaccessible to employees short of going to a thin-client environment, which would have meant [an investment of] hundreds of thousands of dollars, she added.

Increasing numbers of IT and security managers are facing similar pressures to control access to corporate information stored on portable storage devices that are used both with and without the blessing of IT managers, according to experts.

Just this summer, the U.S. Department of Veterans Affairs issued a directive requiring that its employees, contractors and business partners use encryption or other means to protect data stored on all drives, including portable devices.

The edict follows the VAs loss of two drives over the past 15 months in incidents that exposed personal information of tens of millions of veterans and others.

In a statement to Computerworld last week, Bob Howard, CIO and assistant secretary for information and technology at the agency, said that the VA is also in the process of acquiring encrypted thumb drives and applying encryption to other devices and storage media. The process will be completed by the end of 2007, he said.

Martin, Fletcher eventually deployed PatchLink Corp.s Sanctuary Device Control software on the 150 PCs on the companys network to curb data breaches via portable storage devices, Gower said.

The software from Scottsdale, Ariz.-based PatchLink enables IT personnel to issue and manage permissions based on employee rank. It can also be used to compile detailed audit reports and to encrypt content as it travels from corporate networks to portable devices, she said.

For IT administrators, our job is not just setting up a computer for an employee to do their job. Our job is to safeguard the information of a company and make it accessible to those who need it and unavailable to those who dont, Gower said.

Businesses will struggle to keep their networks secure as long as they lack IT control over tiny storage devices connected to their systems, said Larry Ponemon, chairman of Traverse City, Mich.-based Ponemon Institute LLC.

Attackers today arent just college-aged kids sitting in their room at night trying to get into government systems. A lot of these guys are very sophisticated cybercriminals looking to take advantage of companies that dont have the best control over their network and devices, said Ponemon.