Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/15/2007
05:00 AM
50%
50%

Users Go for Data Lockdown

IT managers open up on the security challenges of USB drives and laptops

IRVINE, Calif. -- Data Protection Summit -- Removable storage devices are turning firms' employees into data security time bombs, forcing many CIOs to rethink their security strategies, according to concerned IT managers here today.

USB drives, in particular, are a major source of anxiety. "The ordinary person is like a mini-data center -- he is walking around with a lot of data in his pocket," warned Kumar Mallavalli, chief strategy officer of InMage and co-founder of Brocade, during a keynote this morning. "The most critical issues that we face today [involve] endpoint security [for] laptops, PDAs, and removable media."

A spate of high-profile storage snafus involving removable media has clearly added to users' paranoia about lost data and negative publicity. (See VA Reports Massive Data Theft, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Houston, We've Got a Storage Problem.)

Another of today's keynoters, Kevin Collins, production systems analyst at Sony Computer Entertainment, agreed that USB drives are a security nightmare. "It's a pain," he said. "We have a lot of content [and] we don’t want pre-releases of games coming out on the Web."

To avoid this happening, Sony has set up strict policies for how its data is handled. "We don't allow employees to bring in personal drives unless they speak to the IT department," said Collins. Sony has also implemented a rule whereby USB drives are not allowed out of its building, which is enforced by security staff.

Employees, as well as having to sign non-disclosure agreements when they join the company, are also closely monitored for data breaches. Collins explained that the firm uses the LDAP directory protocol to set up strict access control lists for who can access particular data. "We lock users to the project and the area [that they are working in]," he said. "If I see some concept art on the Web and I know that it shouldn't be there, I am going to know that one of only a handful of artists had access to the data."

Not everyone is taking this issue as seriously as Sony. Last year, for example, nearly half of the respondents to a survey by Byte & Switch's sister publication, Dark Reading, revealed they have no clearly stated policy for the use of portable storage devices.

Another big challenge for users is the fact that relatively few USB drive vendors have added encryption to their products, according to analyst Tom Coughlin of Coughlin Associates, who organized this week's event. "Almost all USB drives are not encrypted at this point," he said, although some vendors, such as Kingston Technologies, SanDisk, and Lexar have added encryption to their products. (See Kingston Intros Drives,SanDisk Buys msystems, and Lexar Locks Down USB Storage.)

Other vendors are also focusing their attention on removable data security. Startup Olixir, for example, recently unveiled an encryption solution for removable drives, and Check Point spent $586 million on mobile security specialist PointSec. (See Olixir Gets Tough on Tape, Olixir Launches Solution, and Check Point Spends on Protection.)

It is not just USB drives that are causing sleepless nights for IT managers. Eric Colliflower, technical services manager at Johns Hopkins University, told Byte and Switch that laptops are high priority for his organization. (See Laptop Venn & Zen, Laptop Encryption the Service Way, and Portable Problems Prompt IT Spending.) "All new laptops that are purchased through the central IT department will have encryption built in," he says, adding that the University also has software-based encryption available for older machines.

Johns Hopkins, which encompasses a number of medical and research facilities, also has strict rules for what can be put onto laptops. "Patient information should really not be stored on laptops at all, according to IT policies, that should be stored on a central file share," said Colliflower.

— James Rogers, Senior Editor Byte and Switch

  • Brocade Communications Systems Inc. (Nasdaq: BRCD)
  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)
  • Coughlin Associates
  • InMage Systems Inc.
  • Kingston Technology Co. Inc.
  • Lexar Media Inc.
  • Olixir Technologies
  • Pointsec Mobile Technologies
  • SanDisk Corp. (Nasdaq: SNDK)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/17/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25789
    PUBLISHED: 2020-09-19
    An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
    CVE-2020-25790
    PUBLISHED: 2020-09-19
    ** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
    CVE-2020-25791
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
    CVE-2020-25792
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
    CVE-2020-25793
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.