The Portable Risk of High Capacity USB Drives
I was recently leading a session for the Panorama Capital CIO Council, a group of about 25 Fortune 500 CIOs with which we meet twice a year, when the topic of securing enterprise data arose. The CIOs were not, however, talking about data security that can be solved by using products like firewalls, spam filters, malware gateways or data loss prevention appliances.
Instead, the hot topic was the security risk of data leaving the enterprise via portable USB disk drives shoved into workers’ pants pockets. USB disk drives are a cheap and convenient way to move data off your computer — much easier than taking a laptop or hard disk drive. They are also the fastest and surest way to give a CIO a security headache.
Today, USB disk drives of up to 16 gigabytes in size are available. That size will undoubtedly grow over the next few years; some predict they’ll reach at least 128 gigabytes, larger than the hard disk size on many of today’s laptops. That’s a lot of documents, spreadsheets, presentations and other confidential data walking around on keychains and in backpacks and laptop cases.
The size of USB disk drives, however, is not what sends shivers down the spines of the CIOs on our council, but the fact that a vast majority of these drives will be totally unsecured, open and accessible to anyone who happens upon them. The number of potentially risky scenarios that come to mind are suddenly endless, among them employees that load their disk drive in order to take their work home, police officers that transfer files from a laptop in a patrol car to the station house, lawyers who transfer case documents, and so on. To make matters worse, some of the newer USB disk drives, such as the Sandisk Cruzer, can hold not just a user’s files but their entire workspace environment.
A number of remedies to this security concern are now entering the marketplace but none of them, according to our CIOs, are yet in widespread use. Devices such as SafeBoot PortControl (recently acquired by McAfee) and DeviceLock prevent access by disabling the physical USB ports altogether. Microsoft is apparently developing a similar technology, one that will allow for Active Directory entries to restrict USB devices on a per-user and group basis. These methods may prove an effective, albeit Draconian, way of solving the problem.
Another remedy is to require a password to access the USB disk drive. But passwords are a notoriously weak security mechanism that require user diligence and maintenance, something not commonly seen in the real world. Further, due to corporate governance and compliance issues, CIOs are looking to secure data using at least two-factor authentication. Even the Executive Office of the President wrote a memo last June requiring two-factor authentication for remote access of information, including data contained on portable storage devices.
The encryption of data on a USB disk drive appears to be the next wave of security coming to these devices; Kingstons DataTraveler Secure Privacy Edition and Ironkey seem to have good products in this area. But this mechanism alone does not satisfy the two-factor authentication requirement. Ironkey is also working to solve the two-factor authentication issue using their USB disk drives combined with their online services.
Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives and how their use can bypass all of the corporate security that you have worked so diligently to put in place?
Allan Leinwand is a venture partner with Panorama Capital and founder of Vyatta. He was also the CTO of Digital Island.
Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.
Allan,
How about online storage and backup? There are some issues there too but i believe by selecting a reliable provider headaches can be minimized substancially. These services offer pretty much everything needed to back up, access and share your files if needed.
Elias
Elias – I’m not sure that online storage solves the issue. It is far easier and faster to save 8 (or even 100) gigabytes to a local USB drive connected to my computer than it is to upload that data to an online storage service. Not to mention that these online storage services often charge by the gigabyte consumed (like Amazon’s S3) and a USB drive is a one-time and relatively cheap purchase. I can see how using an online storage service as a place to transfer my work files may make sense for some people, but there are many other use cases where this will not work (anywhere without Internet access).
Allan,
I totally agree with your arguments, i just tried to position it as an alternative. Well, for sure cannot say which option is the best as each has its pros and cons. However, if we ask our selfs and speak seriously local USB drives are more reliable, there is no doubt.
Elias
Allan,
Link to IronKey website in the article does not work.
Here is the correct link: https://www.ironkey.com
James
Interesting
http://cgi.ebay.com/Encache-Domain-for-Storage-Web-2-0-Startups_W0QQitemZ160187901342QQihZ006QQcategoryZ11153QQssPageNameZWDVWQQrdZ1QQcmdZViewItem
Considering that I back up all of my financial information on a thumb drive, so that I can keep it in event of disaster and reconstruct my life (bank accounts, etc.) the FIRST thing I did was put it all in a TrueCrypt encrypted virtual drive.
With a very strong password.
Allan,
One portlable USB device to check out is MXI Security’s Stealth MXP, a built-in biometric reader and encryption http://www.mxisecurity.com/?p=products&i=stealth_mxp_family.
@James – thanks. The link now works for me.
@Sehlat – Good, but you’re still lacking two-factor authentication. All I need is your password and some sticky fingers and I’m in…..
@Jeff – thanks.
we use a company called xatacom. And they provide an SSH drive that can be mounted onto your Desktop and accessed via the web. It works great!At the end of the day I copy the files I need to my X-drive. I then access the X-drive from my home and Viola! The same files are there. I don’t need to lug my desktop back and forth. My files are secure and No one can access them besides me.
Their website is http://www.xatacom.com
We developed very unique USB protection software. In the enterprise that uses this product, first of all, the administrator should initialize a usual USB memory with our system. After that, the initialized USB memory cannot be used outside specific PC and the domain. When the person who picked up the USB memory tries to use the USB memory with his PC when the user loses, the prompt of initialization is automatically displayed on the screen of Window.
Someone try to use this specialized USB memory outside of the domain or the PC, can do just only initializing.
On the other hand, in the domain where my PC or I belong, it is possible to use it without any password.
It is possible to use it safely by such protection even with mass USB. The content of data is encrypted with AES in 256 bits.
We developed special USB memory that contents deleted when it lost.