Fabiana Gower considered some unconventional methods to prevent data losses when portable storage devices began appearing in her company's IT environment about three years ago. "I stopped just short of Super Glue," said Gower, vice president of information systems at Martin, Fletcher, an Irving, Texas-based medical staffing firm.
"I wasn't able to find a way to lock USB ports so that they are inaccessible to employees short of going to a thin-client environment, which would have meant [an investment of] hundreds of thousands of dollars," she added.
Increasing numbers of IT and security managers are facing similar pressures to control access to corporate information stored on portable storage devices that are used both with and without the blessing of IT managers, according to experts.
Just this summer, the U.S. Department of Veterans Affairs issued a directive requiring that its employees, contractors and business partners use encryption or other means to protect data stored on all drives, including portable devices.
The edict follows the VA's loss of two drives over the past 15 months in incidents that exposed personal information of tens of millions of veterans and others.
In a statement, Bob Howard, CIO and assistant secretary for information and technology at the agency, said that the VA is also in the process of acquiring encrypted thumb drives and applying encryption to other devices and storage media. The process will be completed by the end of 2007, he said.
Martin, Fletcher eventually deployed PatchLink Corp.'s Sanctuary Device Control software on the 150 PCs on the company's network to curb data breaches via portable storage devices, Gower said.
The software from PatchLink enables IT personnel to issue and manage permissions based on employee rank. It can also be used to compile detailed audit reports and to encrypt content as it travels from corporate networks to portable devices, she said.
"For IT administrators, our job is not just setting up a computer for an employee to do their job. Our job is to safeguard the information of a company and make it accessible to those who need it and unavailable to those who don't," Gower said.
Businesses will struggle to keep their networks secure as long as they lack IT control over tiny storage devices connected to their systems, said Larry Ponemon, chairman of Traverse City, Mich.-based Ponemon Institute LLC.
"Attackers today aren't just college-aged kids sitting in their room at night trying to get into government systems. A lot of these guys are very sophisticated cybercriminals looking to take advantage of companies that don't have the best control over their network and devices," said Ponemon.
According to a Ponemon Institute security study, 59% of 1,035 IT security, data protection and privacy practitioners surveyed through June said their organizations currently lack the ability to detect lost or stolen USB memory sticks containing unprotected confidential information.
Ponemon recommended that IT managers step up their database scanning methods, do a better job of managing identity data and apply encryption techniques even if such moves harm system performance.
Jason Pufahl, information security team lead for IT services at the University of Connecticut in Storrs, is evaluating several portable media encryption products, including the open-source TrueCrypt tool from the TrueCrypt Foundation.
Pufahl noted that many students are either ambivalent or unaware of the high risk for data loss whenever they share ministorage devices.
"A lot of people don't even know what they're doing is inappropriate," said Pufahl. "A basic USB memory stick has up to 8GB - that's a tonne of space, and you can put them anywhere. They're really dangerous."
Jeff Moss, organiser of the DefCon hacking convention, suggested that IT managers approach TrueCrypt with caution because it runs only on Microsoft Windows-based machines.
Moss said the lack of an industry standard for encrypting data on portable drives is hampering efforts to boost the security of such devices.
"Something definitely needs to be done because these devices definitely get lost or stolen or [are] given to friends," said Moss.
Joe Gabanksi, network administrator for the city of Lake Forest, Ill., said municipal IT personnel first noticed a problem with portable devices after distributing removable storage devices to employees about two years ago.
Officials hoped to help employees more easily transport data, but found after a scan of the IT environment that a host of unauthorized devices were also linked to the network. At that point, Gabanksi said, the city's IT managers realised that the unofficial policy of connectivity-at-will needed to tightened.
"We found considerably more activity on the network than we had ever anticipated," he said. "We had the iPod, digital music players [and] universal flash drives. We were shocked to see how much end users had already used them."
Gabanksi said the discovery spurred concerns over how to monitor and manage data coming in and out of his environment. Thus, the city moved to require that users register any devices they wish to connect to the corporate network.
Over the past year or so, the city also installed PatchLink's Device Control and Device Scanner tools to centrally manage and encrypt those devices.
"The thing that really moved us was to see that the companies and the agencies that did lose data [through portable storage devices] made the news. We didn't want to be a part of that," Gabanksi said.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.