Gadgets Present Security Conundrum

Enterprises must learn to better secure consumer devices

Palm introduces its newest Treo, Nokia and Google partner for instant messaging on handhelds and Research In Motions BlackBerry tackles the China market. Another day, another hot device. The downside: keeping the enterprise network secure amid a barrage of new consumer devices.

Indeed, when Mark Halligan, a principal in the Chicago-based law firm Welsh & Katz, wants to show business leaders how easy it is for their employees to secretly walk out the door with important data, he simply shows them his watch, which bears a USB connector that allows the device to download and store roughly 1GB of electronic information.

The security risks from such digital toys—not to mention smart phones, digital music players and USB drives—are growing, said Halligan, who urges companies to police how employees use outside devices. "With outside consumer devices, you need to build strict policies that police and limit the use of each individual device," he said.

Ways to curb device use range from squirting hot glue into PCs USB ports and keeping key-chain fobs and iPods off the network to the advanced—blending technology systems with physical security tools to monitor behavior.

However, those approaches can backfire. Telling workers to leave their smart phones at home is counterproductive, said Steve Baker, an analyst with NPD Group, of Port Washington, N.Y. For instance, if IT administrators had banned Palms original PDAs out of security fears in the mid-1990s, we may not have the companys latest Treo smart phones today, Baker said.

"Theres no way for enterprises to stop these kind of things; users are bringing them in because they see a business rationale," said Baker. "Enterprises must find ways to allow people to use consumer devices securely, as banning them will only lead to people staging rebellions from within."

A bevy of vendors are trying to help. Microsoft is promising to give IT administrators expanded capabilities to manage devices in its next-generation Vista operating system.

Enhancements to Vistas Group Policy settings, which allow administrators to enforce configuration settings for individuals, groups and specific machines, have been designed to block access to removable devices such as CD-ROMs, DVD drives and USB tokens, said David Zipkin, a product manager at Microsoft, in Redmond, Wash.

Centennial Software is another player. The companys DeviceWall creates a virtual whitelist of approved devices assigned to certain groups and individuals. These lists can be configured to block any device not explicitly permitted by a companys policies. DeviceWall also ties users device privileges directly to their user names and passwords.

One company using DeviceWall is Motor Information Systems, of Troy, Mich., a specialty automotive publishing company owned by Hearst Publishing.

"We have some people who need to use USB ports to print information or download photos, but, at the same time, you appreciate the risk of having someone plug in their iPod and walk off with a gigabyte of data," said Jeff Schmitt, network administrator at Motor. "This way, we can allow people to have unique privileges based on their jobs and even keep an eye on who is trying to attach something else to the network."

Another fix is to use cameras to curb device usage. One company marketing such tools is 3VR Security. In April, 3VR introduced the fourth iteration of its IVMS (Intelligent Video Management Systems), which promises to convert raw video from security cameras into a searchable database.

The system is designed to detect misuse and warn administrators if someone appears to be stealing data or attempting to log in to computers or to a data center where they do not have access privileges.

"There is the ancillary benefit of having people know that they are being watched; it may sound obtrusive, but companies in the health care and financial services industries, in particular, have to consider that they can be held liable if they dont know where this information went," said Steven Russell, co-founder of San Francisco-based 3VR.

Steve Hunt, an analyst at 4A International, a Chicago research company, agreed that constant monitoring may be the way to go. "It may seem sort of draconian at first, but with all the devices that are finding their way into the office, it may someday be the only choice companies have," said Hunt.

Consumers Have Their Own Devices

A growing array of consumer devices pose potential threats to enterprise data security.

USB drives

* Easily concealable portable drives can swallow large volumes of information

Smart phones

* Carry on-board cameras, support USB and wireless network connectivity, and offer sizable data reserves

MP3 players

* Offer USB network connectivity and the ability to store gigabytes of data

Digital cameras

* Increasingly diminutive in scale, yet large in on-board memory

USB gadgets

* Watches and pens with USB storage drives inside are already on the market