Thumb drives have been listed as the top security concern by a resent poll of 370 IT professionals. And for good reason, if your organization fails to frisk and search every person that enters and leaves your buildings for removable media, you may be exposing yourself to a large data loss in the near future.
Of course, a trade-off must be made between what is an acceptable level of intrusion into your employees' personal space and the amount of risk you are willing to assume.
Some employers would have a difficult time keeping their positions filled if they burdened their employees with complex and aggressive physical security measures. While other organizations, such as Sandia National Labs or the National Security Agency, come with certain expectations that security is going to be taken to another level.
Regardless, some measures to address this issue must be taken.
According to the market research conducted by Centennial Software (bias alert - they manufacture a solution to the problem - of course), 80% of the respondents do not "have effective measures in place to combat the unauthorized use of portable devices." The report continues by saying that 8.6% of the organizations polled have completely banned the use of portable devices. Which makes me extremely curious how they have achieved this total ban, but that was apparently not documented.
Plus, it should be noted that the responses pulled from IT managers while they were attending a technology security oriented conference so the posture of these organizations may be slightly skewed from the norm.
The most important component of this article is the fact that IT managers are becoming aware of the dangers these little devices can present.
USB devices represent so much convenience that it has been easy to ignore the perils they can provide.
It is important to look at this as a bi-directional danger. It is not just the fact that someone could suck 80 GB of data off of a hard drive, but the fact that someone could place any number of malicious programs and/or code onto a network from within the organization.
And where there is a problem, there's a buck to be made.
As a result, there are a number of manufacturers that are beating a path to help organizations protect themselves. See Utimaco, Pointsec, Guardian Edge, Centennial, SafeBoot, and SecureWave among others...
So, the software you decide upon should provide the following functionality:
- Block unwanted devices
- Encrypt data written to USB devices
- Allow data to be shared on authorized devices by authorized users
Also, remember that, unlike whole disk encryption which does not need to be intrusive into your end user's experience, device control requires policies to be created and the enforcement of those policies - which may rub some of your sensitive customers the wrong way.
See? Now doesn't that sound simple?
Michael Mongold
Recent Comments