Small storage devices are inexpensive, ubiquitous, easy to use -- and easy to lose. For business IT departments, that constitutes a potentially serious security problem. A $30 Universal Serial Bus Flash drive casually misplaced in a restaurant or airport lounge may contain sensitive data that can leave a company vulnerable to a rival, or a lawsuit. In one much-publicized case, a former employee of a major financial institution unwittingly...
sold on eBay a wireless handheld device containing an ex-employer's customer list.
As mobile devices and small, cheap, removable storage media proliferate, the risks of leaving PC ports unprotected have grown exponentially.
Take the iPod. Commercially available software now enables the little MPEG player to download a lot more than music files: email, calendar contacts, favorite websites and data files for example. The practice has become widespread enough to gain an official nickname: slurping.
"There's a huge potential for losing data via a PDA or a CD-ROM, which creates a potentially enormous liability," said Michael Osterman, president of Osterman Research Inc. in Black Diamond, Wash.
In a 2004 report, "How to tackle the threat from portable storage devices," Gartner Inc. advised companies to consider prohibiting or at least restricting the use of small, portable storage devices -- from USB keychain devices to iPods -- by employees and outside contractors who have direct access to corporate networks. The report also advised companies to institute a "desktop lockdown policy" that permitted only authorized devices to be plugged in.
In the last year or two, corporate IT staffs have homed in on PC data ports as one of the serious gaps in internal security that enable hackers and other unauthorized intruders to circumvent external defenses like firewalls.
Disabling all PC data ports or instigating a corporatewide ban on portable storage devices is rarely a viable solution, according to Osterman. "These devices are one of the easiest ways to move data. Most of the ways people use them are valid, like taking information home to work, copying presentations off e-mail stores. So you can't just say don't use them."
GFI Software Ltd., SmartLine Inc. and DeviceWall have introduced a more granular solution: software that enables administrators to centrally control what type of device and port can be utilized to read from, or write to, a particular PC.
For example, an end user might be given read/write privileges for a notebook or personal digital assistant (PDA) that can be equipped with security software, but not to a keychain device.
In addition, Microsoft's Windows XP Service Pack 2 provides a registry key that can be configured to make USB storage devices read-only.
As a government agency, Tri-County Board of Recovery and Mental Health in Troy, Ohio, needs to comply with government regulations like the Health Insurance Portability and Accountability Act (HIPAA), which require accountability when it comes to data loss. The company has only 15 employees, but it's just as vulnerable as a larger firm to HIPAA violation penalties of thousands of dollars and up to 10 years in jail, notes Jerry Hill, the company's director of IS.
Last summer, he installed GFI's Portable Storage Control to ensure that sensitive data didn't make an unauthorized exit via a floppy or a USB device. In March, he installed a beta version of the latest version, EndPoint Security, which adds control of additional devices, such as CD-ROMs. "I used to have to put a CD or DVD burner out of commission; now I can pass it on with a disabled write capability," Hill enthuses. "And I can block unauthorized use of PDAs and all USB devices, including a wireless network card."
EndPoint Security allows administrators to grant either read or write privileges, or both, to a particular port, device, user or job title. For example, "A marketing person might be allowed to download animation to CD-ROMs for distribution at game shows, but not upload some crazy Internet game," says Kurt Shaver, a vice president at Cary, N.C.-based GFI. A visiting salesman might be allowed to upload presentation material from a USB Flash card onto a corporate PC, but not download anything from that PC.
Ramon, Calif.-based SmartLine's DeviceLock can grant read or read/write, but not write-only privileges. Both SmartLine and DeviceWall products allow administrators to grant users temporary access to USB devices, when their PCs are offline, by providing temporary access codes.
Both Endpoint Security and DeviceLock support Active Directory, eliminating the need to set up a separate structure for managing access rights. They also support automated, remote software installation: DeviceLock through Windows Remote Install, EndPoint Security through proprietary software. DeviceLock provides a snap-in to Microsoft Management Console as well.
Centralized administration features take the burden off SMB IT staffs. Tri-County Board's Hill can define read/write privileges on USB devices using the same Active Directory groups used to define network access rights, he said. The ease of setup and configuration is key for him: "We're a small office, but I'm a one-person IT staff."
Elisabeth Horwitt is a freelance writer in Waban, Mass. To comment on this story, email firstname.lastname@example.org.