Users Go for Data Lockdown

IRVINE, Calif. -- Data Protection Summit -- Removable storage devices are turning firms' employees into data security time bombs, forcing many CIOs to rethink their security strategies, according to concerned IT managers here today.

USB drives, in particular, are a major source of anxiety. "The ordinary person is like a mini-data center -- he is walking around with a lot of data in his pocket," warned Kumar Mallavalli, chief strategy officer of InMage and co-founder of Brocade, during a keynote this morning. "The most critical issues that we face today [involve] endpoint security [for] laptops, PDAs, and removable media."

A spate of high-profile storage snafus involving removable media has clearly added to users' paranoia about lost data and negative publicity. (See VA Reports Massive Data Theft, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Houston, We've Got a Storage Problem.)

Another of today's keynoters, Kevin Collins, production systems analyst at Sony Computer Entertainment, agreed that USB drives are a security nightmare. "It's a pain," he said. "We have a lot of content [and] we don’t want pre-releases of games coming out on the Web."

To avoid this happening, Sony has set up strict policies for how its data is handled. "We don't allow employees to bring in personal drives unless they speak to the IT department," said Collins. Sony has also implemented a rule whereby USB drives are not allowed out of its building, which is enforced by security staff.

Employees, as well as having to sign non-disclosure agreements when they join the company, are also closely monitored for data breaches. Collins explained that the firm uses the LDAP directory protocol to set up strict access control lists for who can access particular data. "We lock users to the project and the area [that they are working in]," he said. "If I see some concept art on the Web and I know that it shouldn't be there, I am going to know that one of only a handful of artists had access to the data."

Not everyone is taking this issue as seriously as Sony. Last year, for example, nearly half of the respondents to a survey by Byte & Switch's sister publication, Dark Reading, revealed they have no clearly stated policy for the use of portable storage devices.

Another big challenge for users is the fact that relatively few USB drive vendors have added encryption to their products, according to analyst Tom Coughlin of Coughlin Associates, who organized this week's event. "Almost all USB drives are not encrypted at this point," he said, although some vendors, such as Kingston Technologies, SanDisk, and Lexar have added encryption to their products. (See Kingston Intros Drives,SanDisk Buys msystems, and Lexar Locks Down USB Storage.)

Other vendors are also focusing their attention on removable data security. Startup Olixir, for example, recently unveiled an encryption solution for removable drives, and Check Point spent $586 million on mobile security specialist PointSec. (See Olixir Gets Tough on Tape, Olixir Launches Solution, and Check Point Spends on Protection.)

It is not just USB drives that are causing sleepless nights for IT managers. Eric Colliflower, technical services manager at Johns Hopkins University, told Byte and Switch that laptops are high priority for his organization. (See Laptop Venn & Zen, Laptop Encryption the Service Way, and Portable Problems Prompt IT Spending.) "All new laptops that are purchased through the central IT department will have encryption built in," he says, adding that the University also has software-based encryption available for older machines.

Johns Hopkins, which encompasses a number of medical and research facilities, also has strict rules for what can be put onto laptops. "Patient information should really not be stored on laptops at all, according to IT policies, that should be stored on a central file share," said Colliflower.

— James Rogers, Senior Editor Byte and Switch