MARCH 15, 2007 | IRVINE, Calif. -- Data Protection Summit --
Removable storage devices are turning firms' employees into data
security time bombs, forcing many CIOs to rethink their security
strategies, according to concerned IT managers here today.
USB drives, in particular, are a major source of anxiety. "The
ordinary person is like a mini-data center -- he is walking around
with a lot of data in his pocket," warned Kumar Mallavalli, chief
strategy officer of InMage and co-founder of Brocade, during a
keynote this morning. "The most critical issues that we face today
[involve] endpoint security [for] laptops, PDAs, and removable
media."
A spate of high-profile storage snafus involving removable media has
clearly added to users' paranoia about lost data and negative
publicity. (See VA Reports Massive Data Theft, Los Alamos Fallout
Continues, NASA Goes to the Dark Side, and Houston, We've Got a
Storage Problem.)
Another of today's keynoters, Kevin Collins, production systems
analyst at Sony Computer Entertainment, agreed that USB drives are a
security nightmare. "It's a pain," he said. "We have a lot of content
[and] we donīt want pre-releases of games coming out on the Web."
To avoid this happening, Sony has set up strict policies for how its
data is handled. "We don't allow employees to bring in personal
drives unless they speak to the IT department," said Collins. Sony
has also implemented a rule whereby USB drives are not allowed out of
its building, which is enforced by security staff.
Employees, as well as having to sign non-disclosure agreements when
they join the company, are also closely monitored for data breaches.
Collins explained that the firm uses the LDAP directory protocol to
set up strict access control lists for who can access particular
data. "We lock users to the project and the area [that they are
working in]," he said. "If I see some concept art on the Web and I
know that it shouldn't be there, I am going to know that one of only
a handful of artists had access to the data."
Not everyone is taking this issue as seriously as Sony. Last year,
for example, nearly half of the respondents to a survey by Byte &
Switch's sister publication, Dark Reading, revealed they have no
clearly stated policy for the use of portable storage devices.
Another big challenge for users is the fact that relatively few USB
drive vendors have added encryption to their products, according to
analyst Tom Coughlin of Coughlin Associates, who organized this
week's event. "Almost all USB drives are not encrypted at this
point," he said, although some vendors, such as Kingston
Technologies, SanDisk, and Lexar have added encryption to their
products. (See Kingston Intros Drives,SanDisk Buys msystems, and
Lexar Locks Down USB Storage.)
Other vendors are also focusing their attention on removable data
security. Startup Olixir, for example, recently unveiled an
encryption solution for removable drives, and Check Point spent $586
million on mobile security specialist PointSec. (See Olixir Gets
Tough on Tape, Olixir Launches Solution, and Check Point Spends on
Protection.)
It is not just USB drives that are causing sleepless nights for IT
managers. Eric Colliflower, technical services manager at Johns
Hopkins University, told Byte and Switch that laptops are high
priority for his organization. (See Laptop Venn & Zen, Laptop
Encryption the Service Way, and Portable Problems Prompt IT
Spending.) "All new laptops that are purchased through the central IT
department will have encryption built in," he says, adding that the
University also has software-based encryption available for older
machines.
Johns Hopkins, which encompasses a number of medical and research
facilities, also has strict rules for what can be put onto laptops.
"Patient information should really not be stored on laptops at all,
according to IT policies, that should be stored on a central file
share," said Colliflower.
