iPods And Memory Sticks: Are The Benefits Worth The Security Risks?
Few companies have taken steps to secure such devices, and some security vendors claim they can help.
Personal technology has a way of working its way into companies, often to the benefit of workers and the dread of IT staffers who deal with the fallout. USB-pluggable memory drives are one of the most-popular technologies creeping in lately, but the security risks may outweigh any benefits they provide to the workplace.
Most businesses aren't addressing the risk. More than half of companies take no steps to secure data held on devices such as iPods or USB memory sticks, according to a U.K. government-backed security survey released in April. One-third of companies tell staff not to use USB flash memory drives and sticks, but they rarely do anything to change the configuration of PCs and laptops to stop their use, according to the survey by the Department of Trade and Industry. Only 10% of the 1,000 companies interviewed for the survey encrypt the confidential data stored on these portable devices.
Security concerns about memory sticks and MP3 players have grown with their storage capacity. It's now often easier to download huge documents than to send them via E-mail, where they risk clogging the system.
The dangers of using portable storage technology were highlighted in April when the Los Angeles Times reported it bought stolen flash memory storage drives --containing classified U.S. military information and the names of allegedly corrupt Afghan officials--at bazaars in Afghanistan. The U.S. military declined to provide any information about the stolen drives or to confirm their content.
Tech vendors are only beginning to deliver tools to manage portable data. M-Systems last week introduced its mTrust Manager to help companies centrally manage removable storage drives by tying the use of a particular drive to an end user, so system-access privileges govern their use. MTrust Manager also lets IT admins perform remote password administration, create a database of what's stored on all the drives used by employees, and back up information stored on these devices. But it only works with drives from Kingston Technology and Verbatim. Other M-Systems tools allow encryption of data stored on USB-pluggable storage devices.
Can't Stop 'Em
Banning the devices is impractical for most companies. They store more data than can reasonably be attached to an E-mail and let users transport data to places where their networks don't reach, such as a PC borrowed for a conference presentation.
Other technology security providers have homed in on the need for better management and security of removable storage drives. Centennial Software in mid-April said it's giving the U.S. armed forces 25,000 free licenses of its DeviceWall endpoint security software to manage portable storage in networked environments, largely in response to the problems in Afghanistan. SecureWave has software for policy-based control of devices, and last week revealed a partnership with removable flash memory maker Lexar Media that resembles M-Systems' relationship with Kingston and Verbatim. And Safend this summer will release the latest version of its Protector software, which enforces removable storage device policy management and synchronizes with Active Directory.
Removable storage's worst-case scenario appears to have played out in Afghanistan, and tech vendors are rushing in with promises to keep it from happening elsewhere. Now companies need to acknowledge their exposure to this problem.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.