Portable storage devices: The curse of convenience
- 25 January, 2006 12:22
Have you been following the story about cell phone records being sold on the Internet? The Chicago Sun-Times published an interesting article on this not long ago, but this outrageous practice has been going on for quite some time.
In essence, anyone with a credit card and a cell phone's telephone number could get in touch with the Locatecell Web site (or others) and, by paying $US110, quickly receive a list of all the calls made from that phone over a one month period.
I say "could," in this case, because according to Mobile Tech News , Cingular Wireless -- one of the telcos affected by Locatecell -- has filed a lawsuit against Locatecell's parent company, Data Find Solutions, and another phone-number reseller, claiming that those phone records were stolen. Cingular has also obtained a temporary restraining order against the two companies to prevent future use and sale of the cell numbers.
It's unclear at the moment how those phone records were obtained (and I am not going to speculate when there is an ongoing court proceeding), but that story is a clear indication of how easily customer information can be disclosed.
Replace "phone records" with any other valuable customer data (bank records, engineering records, purchase records, order histories, etc.) and a similar situation becomes possible right in your own company.
"Companies have been overlooking the fact that a lot of the company data is on personal storage devices, such as USB drives," says Nimrod Reichenberg, director of marketing for corporate solutions at M-Systems. (If you aren't familiar with M-Systems, here's what you need to know: The company has been a pioneer in developing flash drive technology.)
Reichenberg adds that in the past year or so, the security officers of major companies have become more aware of the risk involved with personal storage devices, "but the storage guys are still under a rock and don't even consider the device as part of their storage strategy."
M-System's recently created Xkey division, of which Reichenberg is part, targets the corporate market and aims to address the security and asset management issues related to personal storage.
"No employee would ever think of buying a laptop and bringing it to the office to do some work," Reichenberg says. "But most people won't think twice about taking a USB drive they bought at Best Buy into the office, copying some financial information to it, and just walking out."
Reichenberg has a good point: USB drives and other similar devices' ease of use make them ideal tools for smuggling information outside the company. Even when there is no foul play, the data stored on those gizmos escapes routine company procedures, such as backups, encryption, or inventory. Moreover, there is no accountability because it's virtually impossible to tell one USB drive from another.
"We started by securing the hardware, making the Xkey Drive, a USB drive that has a unique identifier, hardware-based encryption, enforceable security, plus virus and tamper protection," continues Reichenberg, adding that the drive has been well received and adopted as a standard and only permissible device of that kind by many corporations.
Although more reliable and secure than regular USB drives, the Xkey Drive does not prevent employees from using other tools to move data out the front door. That's why, says Reichenberg, M-Systems developed a client-server software solution, called Xkey Shield. Xkey Shield gives storage admins the ability to enforce policies on the use of removable devices.
"Using Xkey Shield, you can block the use of unauthorized devices and prevent burning information to CDs, DVDs, or floppy disks," explains Reichenberg, noting that a combination of Xkey Drive and Xkey Shield can effectively protect company data while keeping track of where it's stored.
M-Systems isn't the only vendor offering products to reduce the risk of personal storage devices. I recently spoke to Vladimir Chernavsky, CEO of SmartLine, a company that in November released DeviceLock Plug-and-Play Auditor. This application allows administrators to know how many users are uploading or downloading data to personal storage devices.
Expect to see more products in this area, and in the meantime, start tackling the issue in your own company. Protecting your tape drives -- as I've suggested in previous columns -- is important, but it won't stop data theft by a potential enemy inside your company.