Portable data storage may be convenient, but pen-sized high-capacity devices are becoming the latest threat
Removable media devices have become a fantastic new addition to the growing assortment of gadgetry that adds convenience and fun to the way we work. And they are cheap. If you go to one of the big computer shows you will be offered a free memory stick as a stand give-away.
But at what price to your organisation? As removable media grows in popularity, more people are using them in the workplace to store corporate information. Documents, databases, graphics, music, even films are stored on these neat little devices.
Yet the security implications are considerable and need to be seriously assessed, especially with storage capacities on devices such as iPods set to exceed 80Gbytes by the end of the year.
What will happen, for example, if you lose your key ring with your USB card containing all your downloaded Ð and unprotected Ð corporate documents?
Think about how easy it would be to remove most of your corporate data. Preventing people bringing these devices and media into the office is extremely difficult. Short of instituting an invasive search policy, keeping devices out of your buildings is virtually impossible.
The solution appears to be that management must implement two initiatives. The first is to prevent your staff from circumventing physical security measures, and that means deciding on what you can and cannot enforce.
Organisations need to ensure that all members of staff are aware that their employment contract does not allow the connection of non-company devices to their computers or other peripherals. In other words, consent rather than compulsion is the most effective motivating factor in the longer term.
The second initiative is to ensure you can monitor what has happened, which means that administrators need to install products that log when, where and what data users download.
If you need to allow data to be transferred using removable media, you should consider how to secure it. There are several suppliers offering encryption products in the market. All of them have different advantages, but whatever you choose should have a minimum set of features:
- The ability to allow data to be locked after a given number of failed password attempts
- The ability to send encrypted data and a key to decrypt it to the receiving computer
- Password administration that allows for the recovery of lost passwords
- The ability to work on a wide range of devices and removable media
- Ease of implementation, use and management.
The latter feature is too often overlooked when deploying security products, leading to the belief that Òsecurity means complexityÓ. It does not.
To ensure people use a product, it must be simple, effective and deal with all situations. That is part of the ÒconsentÓ process Ð if it is difficult or time-consuming, people will seek to not use it.
Ideally everything that is downloaded from a computer onto any removable media should be encrypted. Files need to be self-contained as an executable where the level of encryption is still high enough to thwart all but the most extensive brute-force attack. There are products that fall into this category and they are worth finding and deploying to minimise the risks.
Remember, it is not just a question of compliance with legislation and possible financial penalties arising from any breach of regulations, it is much more serious. Not only do you risk losing the trust of your clients if they find out you did not prevent the data from being copied, but there is also the possibility the thief may delete your original data. And then what would you do?
Magnus Ahlberg is managing director of Pointsec
Pointsec can be found at InfoSecurity at stand number 501
Risks to data
- With the general trend of moving from manufacturing to service industries, an organisationÕs primary need is increasingly not to 'protect' a secret manufacturing process or production unit, but rather the data it holds and uses to provide services to its clients or customers.
- The average word processing file is three pages in length and between 25k and 30k. That means that a 20Gbyte MP3 player could hold more than 750,000 documents.
- With the continuing move towards digital rights management systems, it is no longer just data that is vulnerable to being copied, but entire record systems, including technical drawings.
- Most corporate networks do not audit what data users copy to a local machine or attached device. Few even realise it is possible, let alone desirable to do so.
- To achieve compliance with UK data protection legislation, you must demonstrate you have identified individual risks and taken 'reasonable' action (including developing a security policy) to prevent unauthorised copying of personal data.
- Ninety-nine per cent of users who transfer data via mobile devices use no encryption (and the figure is not much better for data held on the main system).