Portable data storage may be convenient, but pen-sized
high-capacity devices are becoming the latest threat
Removable media devices have become a fantastic new addition to
the growing assortment of gadgetry that adds convenience and fun to
the way we work. And they are cheap. If you go to one of the big
computer shows you will be offered a free memory stick as a stand
give-away.
But at what price to your organisation? As removable media grows
in popularity, more people are using them in the workplace to store
corporate information. Documents, databases, graphics, music, even
films are stored on these neat little devices.
Yet the security implications are considerable and need to be
seriously assessed, especially with storage capacities on devices
such as iPods set to exceed 80Gbytes by the end of the year.
What will happen, for example, if you lose your key ring with
your USB card containing all your downloaded Ð and unprotected Ð
corporate documents?
Think about how easy it would be to remove most of your
corporate data. Preventing people bringing these devices and media
into the office is extremely difficult. Short of instituting an
invasive search policy, keeping devices out of your buildings is
virtually impossible.
The solution appears to be that management must implement two
initiatives. The first is to prevent your staff from circumventing
physical security measures, and that means deciding on what you can
and cannot enforce.
Organisations need to ensure that all members of staff are aware
that their employment contract does not allow the connection of
non-company devices to their computers or other peripherals. In
other words, consent rather than compulsion is the most effective
motivating factor in the longer term.
The second initiative is to ensure you can monitor what has
happened, which means that administrators need to install products
that log when, where and what data users download.
If you need to allow data to be transferred using removable
media, you should consider how to secure it. There are several
suppliers offering encryption products in the market. All of them
have different advantages, but whatever you choose should have a
minimum set of features:
- The ability to allow data to be locked after a given number of
failed password attempts
- The ability to send encrypted data and a key to decrypt it to
the receiving computer
- Password administration that allows for the recovery of lost
passwords
- The ability to work on a wide range of devices and removable
media
- Ease of implementation, use and management.
The latter feature is too often overlooked when deploying
security products, leading to the belief that Òsecurity means
complexityÓ. It does not.
To ensure people use a product, it must be simple, effective and
deal with all situations. That is part of the ÒconsentÓ process Ð
if it is difficult or time-consuming, people will seek to not use
it.
Ideally everything that is downloaded from a computer onto any
removable media should be encrypted. Files need to be
self-contained as an executable where the level of encryption is
still high enough to thwart all but the most extensive brute-force
attack. There are products that fall into this category and they
are worth finding and deploying to minimise the risks.
Remember, it is not just a question of compliance with
legislation and possible financial penalties arising from any
breach of regulations, it is much more serious. Not only do you
risk losing the trust of your clients if they find out you did not
prevent the data from being copied, but there is also the
possibility the thief may delete your original data. And then what
would you do?
Magnus Ahlberg is managing director of Pointsec
Pointsec can be found at InfoSecurity at stand number 501
www.pointsec.com
Risks to data
- With the general trend of moving from manufacturing to service
industries, an organisationÕs primary need is increasingly not to
'protect' a secret manufacturing process or production unit, but
rather the data it holds and uses to provide services to its
clients or customers.
- The average word processing file is three pages in length and
between 25k and 30k. That means that a 20Gbyte MP3 player could
hold more than 750,000 documents.
- With the continuing move towards digital rights management
systems, it is no longer just data that is vulnerable to being
copied, but entire record systems, including technical
drawings.
- Most corporate networks do not audit what data users copy to a
local machine or attached device. Few even realise it is possible,
let alone desirable to do so.
- To achieve compliance with UK data protection legislation, you
must demonstrate you have identified individual risks and taken
'reasonable' action (including developing a security policy) to
prevent unauthorised copying of personal data.
- Ninety-nine per cent of users who transfer data via mobile
devices use no encryption (and the figure is not much better for
data held on the main system).