Document Actions
Changed scenario on removable devices (reprint)
This short take on the new and emerging portable storage devices thinks aloud on the security implications and some ways to tackle it. But the bottom line is: Are we ready? This was originally posted on my blog (http://mukuldharwadkar.blogspot.com) on 20 Oct 2005. Re-published here as this is again generating some interest.
Managing data moving in and out of an organization through removable
media was easy in the good old days of floppy disk drives. You just
disable the drive. Or even better, remove it from the computer. As the
technology advanced (read OS and applications got fatter) floppy disks
become unviable and obsolete and slowly went away from the workplace
PCs.
Then came CD writers, becoming more and more affordable, easy to use and reliable. Even controlling that was relatively easy. But what with the advent of USB thumb drives, the nightmare for Information security manager just started. USB drives are very small that they can be easily concealed almost anywhere. We could disable the USB ports on the computers, but for the fact that most of the new hardware that is now being manufactured is USB only. So obviously we cannot disable the ports. Plus the fact that users plug in the drive almost anywhere which makes them very dangerous as carriers of unwanted software.
So how do we protect the data of our enterprise? Frankly speaking, I don't know. But here are some ideas I want to throw in the wild:
The third approach defeats the entire point of buying a USB drive and the convenience associated with it. But then security was never a convenience.
Then came CD writers, becoming more and more affordable, easy to use and reliable. Even controlling that was relatively easy. But what with the advent of USB thumb drives, the nightmare for Information security manager just started. USB drives are very small that they can be easily concealed almost anywhere. We could disable the USB ports on the computers, but for the fact that most of the new hardware that is now being manufactured is USB only. So obviously we cannot disable the ports. Plus the fact that users plug in the drive almost anywhere which makes them very dangerous as carriers of unwanted software.
So how do we protect the data of our enterprise? Frankly speaking, I don't know. But here are some ideas I want to throw in the wild:
- Use encryption on the USB drives. I am not yet sure, but I guess there are vendors who provide this software. If not this is one market to tap.
- Ensure that the Virus scanners detect the presence of USB storage device and scan all the data on it.
- If possible, try and prevent data from being copied onto and from unknown USB devices. I don't know how to do it, but I guess this can be done.
The third approach defeats the entire point of buying a USB drive and the convenience associated with it. But then security was never a convenience.
