The Portable Risk of High Capacity USB Drives

27 Comments

t2-2gb_closed_130.jpgI was recently leading a session for the Panorama Capital CIO Council, a group of about 25 Fortune 500 CIOs with which we meet twice a year, when the topic of securing enterprise data arose. The CIOs were not, however, talking about data security that can be solved by using products like firewalls, spam filters, malware gateways or data loss prevention appliances.

Instead, the hot topic was the security risk of data leaving the enterprise via portable USB disk drives shoved into workers’ pants pockets. USB disk drives are a cheap and convenient way to move data off your computer — much easier than taking a laptop or hard disk drive. They are also the fastest and surest way to give a CIO a security headache.

Today, USB disk drives of up to 16 gigabytes in size are available. That size will undoubtedly grow over the next few years; some predict they’ll reach at least 128 gigabytes, larger than the hard disk size on many of today’s laptops. That’s a lot of documents, spreadsheets, presentations and other confidential data walking around on keychains and in backpacks and laptop cases.

The size of USB disk drives, however, is not what sends shivers down the spines of the CIOs on our council, but the fact that a vast majority of these drives will be totally unsecured, open and accessible to anyone who happens upon them. The number of potentially risky scenarios that come to mind are suddenly endless, among them employees that load their disk drive in order to take their work home, police officers that transfer files from a laptop in a patrol car to the station house, lawyers who transfer case documents, and so on. To make matters worse, some of the newer USB disk drives, such as the Sandisk Cruzer, can hold not just a user’s files but their entire workspace environment.

A number of remedies to this security concern are now entering the marketplace but none of them, according to our CIOs, are yet in widespread use. Devices such as SafeBoot PortControl (recently acquired by McAfee) and DeviceLock prevent access by disabling the physical USB ports altogether. Microsoft is apparently developing a similar technology, one that will allow for Active Directory entries to restrict USB devices on a per-user and group basis. These methods may prove an effective, albeit Draconian, way of solving the problem.

Another remedy is to require a password to access the USB disk drive. But passwords are a notoriously weak security mechanism that require user diligence and maintenance, something not commonly seen in the real world. Further, due to corporate governance and compliance issues, CIOs are looking to secure data using at least two-factor authentication. Even the Executive Office of the President wrote a memo last June requiring two-factor authentication for remote access of information, including data contained on portable storage devices.

The encryption of data on a USB disk drive appears to be the next wave of security coming to these devices; Kingstons DataTraveler Secure Privacy Edition and Ironkey seem to have good products in this area. But this mechanism alone does not satisfy the two-factor authentication requirement. Ironkey is also working to solve the two-factor authentication issue using their USB disk drives combined with their online services.

Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives and how their use can bypass all of the corporate security that you have worked so diligently to put in place?

Allan Leinwand is a venture partner with Panorama Capital and founder of Vyatta. He was also the CTO of Digital Island.

27 Comments

Rodney H

Combination USB Drives, with automated back-up recovery software built in- thats what high capacity USB needs, possibly with only access to specified computers (through some srt of secondary security code etc, like bluetooth. Transcend get on it!!!!! Feel your pain mate.

Joe Frantize

Nice blog here. You are TOTALLY TOTALLY right. The convenience of a completely portable storage device is just so totally awesome, that’s it’s easy to overlook the negatives of getting your information stolen. Encryption people! You MUST encrypt your critical information. This means social security numbers, health data, bank data, etc. Anything that you just wouldn’t want floating around, should not be in clear text on your portable storage thingy… They are just so portable, that means they get lost and stolen all the time. Make the effort. Protect yourself. It’s not that hard with a few hours of orientation and the right software and you are there… Safe and sound.

Mark

Thanks for the article.

In our company we had some security incidents of stealing several hundreds megabytes of sensitive project data with high capacity usb sticks. Initially we disabled all usb ports but after some time we got rid of this idea.
As a final solution we implemented desktop authority from scriptlogic. By using it’s usb and ports security feature http://www.scriptlogic.com/products/desktopauthority/usbsecurity.asp we blocked all security harmful devices cd/dvd burners, PDAs and mp3 players.
With usb storage sticks we decided to do a little trick. We enabled only company issued usb drives with low capacity (just for sharing small documents, reports or presentations).
We were able to do this by putting serial numbers of such usb stciks to the special whitelist and by enabling the access to usb storage only for devices from this list.

Gijo Mathew

Allan, risk is always understood at F1000 organizations, they certainly don’t run oblivious to the major risks they face. The problem is that it is usually documented in a bunch of spreadsheets and word documents on the intranet. The goal is to start enforcing some of those policies to minimize risk.
Implementation like security is layered. It can start with your riskiest areas and then add policy incrementally. Implementation time can be short using a phased methodology and a modular solution.

Minoru

Allen,
1)Yes, We can accept only our special formatted USB and deny to use normal USB. This is perfect. All are software implemented solution no special hardware.
2)We have two certificates, one is domain and password if need it. Also administrator can set life time of data in the USB.
3)If you can use our Virtual Thin Client system with USB, contents of USB must backuped on the server anytime.
I can send you materials.

Allan Leinwand

@Jens – good move, but still not two-factor authentication. The time is coming when most organizations will require two-factor for everything.

@Gijo – thanks for the info. Who sets the corporate policy on what information can be stored on a USB drive and what can’t? That sure seems like a cumbersome task – I imagine the implementation time and cost for a F1000 company maybe high…. Perhaps not as high as losing corporate confidential data, but high enough that I would guess such a project would take a long time to implement.

Gijo Mathew

Allan, Good comments on the risk.
Here are some approaches on how organizations try to mitigate this risk:
1)Disable USB drive altogether (Not practical and useful for many organizations)
2)Encrypt the USB drive
3)Strong Authentication to access USB drive
In my mind it is not just about access to the contents on the drive but rather what gets placed on the drive in the first place! I don’t care if you encrypt and have strong authentication on your USB drive if what you are taking with you are thousands of SSN’s or patient information, or corporate intellectual property. I know most organizations wouldn’t want this information leaving the organization in any form. (Posted on a blog, emailed, or dropped on USB)
So the 4th approach:
4)Let corporate policy state what can go on a drive and enforce that at the endpoint.

DLP solutions with endpoint protection ability do just that. They ensure that the most critical information does not leave the organization, even if it is via a USB drive. Who cares if my family pictures are encrypted and can’t be accessed without strong authentication? The secret is in accurately detecting critical information and then deciding if it should be on a USB drive or not.
http://www.orchestria.com/solutions/data_loss_prevention/coverage.asp

Jens Moller

Have a look at TrueCrypt – Its free and allows you to run it totally on a USB Flash Drive – I use it with Portable Thunderbird (email client) and this allows me to use a 2 Gig flash drive for storing sensitive data as well as reading my email on any Windows or Linux PC that I have available to me.

I never allow my files to go unencrypted.

http://www.truecrypt.org/

Allan Leinwand

@Minoru – very interesting. Two possible issues though….

1) Does your environment allow me to buy a different USB disk drive and not use your unique protection software? While this method seems valid to password protect the USB drive with the software on it, what stops me from buying a very cheap drive and using it in your environment? Are your USB ports locked to deny access to other USB devices?

2) Your solution still lacks good two-factor authentication. Using a password (or network credentials in the domain) are still only one-factor.

@Tim – thanks and good luck :)

Tim Probst

Although it has taken a while for companies to catch up with the threat of affordable portable storage devices, it seems to be at the top of everyone’s list these days.

My employer just introduced a new hardware policy that disables USB hard drives and flash drives and disables the disk burning capabilities of our DVD drives. I can definitely understand the need for this policy, and I support it, but it does make it more difficult when my coworkers and I are out at client sites and need to quickly share large files. At this time, our only options are to email the files back and forth to each other or to connect to our network shares over VPN and wireless broadband cards. Both of these options are brutally slow. It seems to me that the better option is to encrypt the data on USB flash drives, and I am going to forward your post to our IT department in hopes that they’ll find some way to allow us to use our USB drives again. Thanks!

Minoru Ikeda

We developed very unique USB protection software. In the enterprise that uses this product, first of all, the administrator should initialize a usual USB memory with our system. After that, the initialized USB memory cannot be used outside specific PC and the domain. When the person who picked up the USB memory tries to use the USB memory with his PC when the user loses, the prompt of initialization is automatically displayed on the screen of Window.
Someone try to use this specialized USB memory outside of the domain or the PC, can do just only initializing.
On the other hand, in the domain where my PC or I belong, it is possible to use it without any password.
It is possible to use it safely by such protection even with mass USB. The content of data is encrypted with AES in 256 bits.

We developed special USB memory that contents deleted when it lost.

Tony

we use a company called xatacom. And they provide an SSH drive that can be mounted onto your Desktop and accessed via the web. It works great!At the end of the day I copy the files I need to my X-drive. I then access the X-drive from my home and Viola! The same files are there. I don’t need to lug my desktop back and forth. My files are secure and No one can access them besides me.

Their website is http://www.xatacom.com

Allan Leinwand

@James – thanks. The link now works for me.

@Sehlat – Good, but you’re still lacking two-factor authentication. All I need is your password and some sticky fingers and I’m in…..

@Jeff – thanks.

sehlat

Considering that I back up all of my financial information on a thumb drive, so that I can keep it in event of disaster and reconstruct my life (bank accounts, etc.) the FIRST thing I did was put it all in a TrueCrypt encrypted virtual drive.

With a very strong password.

Elias

Allan,

I totally agree with your arguments, i just tried to position it as an alternative. Well, for sure cannot say which option is the best as each has its pros and cons. However, if we ask our selfs and speak seriously local USB drives are more reliable, there is no doubt.

Elias

Allan Leinwand

Elias – I’m not sure that online storage solves the issue. It is far easier and faster to save 8 (or even 100) gigabytes to a local USB drive connected to my computer than it is to upload that data to an online storage service. Not to mention that these online storage services often charge by the gigabyte consumed (like Amazon’s S3) and a USB drive is a one-time and relatively cheap purchase. I can see how using an online storage service as a place to transfer my work files may make sense for some people, but there are many other use cases where this will not work (anywhere without Internet access).

Elias

Allan,

How about online storage and backup? There are some issues there too but i believe by selecting a reliable provider headaches can be minimized substancially. These services offer pretty much everything needed to back up, access and share your files if needed.

Elias

Comments are closed.