Not finished with updating your organizations payroll for the day? No problem—just save the documents to a USB thumb drive, drop the drive in your briefcase, stick it in one of your family PCs USB slots and finish up in the comfort of your own home.
But wait. Your kids were downloading some cool IM (instant messaging) icons, and now your home PC—and the USB devices connecting to it—are infected with a virus. Or, you thought you had stuck the USB drive in your briefcase. Or was it your pocket? In any case, where the heck is the drive?
Yes, its easier than ever to take the data and run—a blessing for many users, but a curse for administrators charged with securing company information.
Employees need access to data to do their jobs, but IT implementers and corporate executives need to weigh the productivity benefits of allowing users to take data home against the security implications of private data lost via a rogue or misplaced device. eWEEK Labs recommends that companies not allow unfettered usage of portable storage devices with corporate machines.
However, the knee-jerk reaction of gluing employees USB ports shut can hamper productivity significantly, because those ports could be used for card readers, digital signature devices and VOIP (voice over IP) handsets, among many other devices and functions.
Rather, we recommend the establishment of written data-handling policies, backed by policy-based security controls and accountability via reports and logs to ensure against data loss.
Microsofts Windows XP provided the bare-minimum protection against device-borne data loss, but required some creative workarounds to get going. Windows Vista promises more granular controls to block device installation, plus read or write behavior blocking—albeit with some odd and unfortunate dependencies.
But the operating system is not the place to look for the current utmost in protection against accidental data loss, and oversight over and privacy for data that is permitted to be copied to devices, and proof of action for audit and compliance purposes. For these types and levels of protection, companies need to look to third-party solutions.
Indeed, the security market for products that protect against data loss from the endpoint is white-hot right now, with dozens of companies vying for a place on the corporate desktop. And its a market that an increasing number of organizations are tapping into as a pre-emptive strike.
"We put something in place with [Microsoft] Active Directory that would block the use of USB ports, CDs or floppy disks, but it was not easily administered," said Miriam Neal, vice president of IS at South Western Federal Credit Union in California. Neal eventually settled on SecureWaves Sanctuary 4.1, which we have reviewed. We also reviewed Secuware Security Framework 4.0.
Both products offer policy settings to deny read or write actions to removable storage devices, approve the use of standard devices and enable the use of encryption.
Security Frameworks strength lies in its ability to easily enable encryption on the enterprise level, providing a centralized way to encrypt off-the-shelf USB drives as well as primary operating system hard drives.
Sanctuary offers many of the same high-level capabilities as Security Framework, but it also drills deep down to provide administrators with incredibly in-depth control over the use of just about any port, device or connection type.