iPods And Memory Sticks: Are The Benefits Worth The Security Risks? 2

Personal technology has a way of working its way into corporate settings, often to the benefit of workers and to the dread of IT staffers who must support and secure the technology, or--at the very least--monitor its use. While cell phones and PDAs have proven their value as business tools, security concerns over USB-pluggable memory drives may outweigh any benefits they provide to the workplace.

A U.K. government-backed security survey in late April indicates that more than half of companies take no steps to secure data held on devices such as iPods or USB memory sticks. The Information Security Breaches Survey, backed by the Department of Trade and Industry, reveals that 33% of firms tell staff not to use USB flash memory drives and sticks, but rarely do anything to change the configuration of PCs and laptops to stop people from using them. And only 10% of the 1,000 companies interviewed for the survey encrypt the confidential data stored on these portable devices.

While security concerns about memory sticks and MP3 players has grown, so has their memory capacity, far exceeding the amount that can be stored on a floppy disk. It's now more practical to download large documents onto these highly portable drives than to send them via E-mail and risk clogging the system.

The dangers of using portable storage technology were highlighted earlier this year when stolen flash memory storage drives containing classified U.S. military information and the names of allegedly corrupt Afghan officials were being sold at bazaars in Afghanistan. The LA Times reported in April that it obtained several drives at such a marketplace, and they included "documents that were potentially embarrassing to Pakistan, presentations that named suspected militants targeted for 'kill or capture' and discussions of U.S. efforts to 'remove' or 'marginalize' Afghan government officials whom the military considered 'problem makers.' " The U.S. military declined to provide any information about the type of drives stolen or to confirm their content.

Concerns over the security implications of removable storage drives aren't new, but only now are technology vendors beginning to deliver the tools necessary to stop this type of data theft. M-Systems Monday introduced its mTrust Manager to help companies centrally manage the proliferation of removable storage drives by tying the use of a particular drive to an end user. IT administrators establish and enforce policies for the use of these drives based upon the user's system privileges.

MTrust Manager also lets admins perform remote password administration, create a database of what's stored on all the drives being used by employees, back up information stored on these devices, and block usage of a device if the user's privileges have been revoked or if the drive is lost.

MTrust Manager currently works with only two "mTrust-ready" drives: Kingston Technology Co.'s DataTraveler Elite Privacy Edition and Verbatim Corp.'s Store 'n' Go Corporate Secure USB drive.

As demand for these drives increases, some sort of security approach makes sense. They store more data than can reasonably be attached to an E-mail and allow users to transport data to places where their networks don't reach, such as a PC borrowed for a conference presentation. Inability to secure and manage these devices are the two most prevalent reasons companies cite for not using them, says Nimrod Reichenberg, M-Systems' director of marketing for enterprise solutions. "Most companies that do use them are doing nothing to manage the use of these devices," he adds.

M-Systems has since November 2004 offered the ability to encrypt data stored on USB-pluggable storage devices. In late 2005, the company introduced mTrust Shield, which lets companies centrally manage the use of removable devices and media, ensuring information isn't transferred to unauthorized devices. MTrust Manager provides the ability to administer and track large quantities of such devices.

Other technology security providers have also honed in on the need for better management and security of removable storage drives. Centennial Software Ltd. in mid-April announced it's offering the U.S. Armed Forces 25,000 free licenses of its DeviceWall endpoint security software to manage the use of portable storage in networked environments, largely in response to the problems in Afghanistan.

SecureWave, a provider of software that provides policy-based control of devices, last week announced a partnership with removable flash memory maker Lexar Media Inc. that resembles M-Systems' relationship with Kingston and Verbatim. SecureWave will adapt its Sanctuary device management software so that it can be used on Lexar hardware.

Removable storage's worst-case scenario has played out in Afghanistan, and tech vendors are rushing in with promises to keep this from happening again. It's now a matter of companies acknowledging their own exposure to this problem.