How many of you have coworkers that regularly trot in to work with an iPod shuffle dangling from their necks? Do they religiously synchronize their home music collection with their office computers—using their own MP3 players? Finally, have you ever had a situation where getting some important files to someone was accomplished by handing that person a 1-GB thumb drive?
If you answered yes to any of these questions, your organization needs to consider the risk/reward regarding the use of portable storage devices.
In days past, using a floppy disk to transfer files was often considered an acceptable security risk since floppies could not hold all that much data. Today, however, we have 2-GB iPod Nanos and small, light-weight storage receptacles that can hold hundreds of gigabytes of data. The ease with which this type of storage connects to Windows and other systems significantly increases the likelihood for inappropriate use.
Portable storage loopholes
(1) Layoffs are looming at your struggling company and the pink slips are due to go out to some of your inside sales people. With an old-school iPod shuffle, what would stop one of these folks from scarfing the contents of the customer file and taking it to his next job?
(2) Two coworkers have been working on a project and one of the coworkers regularly takes the project home on a 1-GB thumb drive, complete with some data used for testing. Unfortunately, this test data, consisting of a few thousand records, was culled from your live customer database. What happens if this person drops the keychain drive on the subway or the device is stolen?
(3) A user brings in a thumb drive that he has used at home. Unfortunately, this user's home machine is infested with viruses and spyware.
As you can see from the scenarios above, portable devices provide users with an ideal way to bypass your network defenses and, if so inclined, to steal—or simply to lose—sensitive company information. Depending on the type of organization you belong to, a possible problem could go well beyond upsetting a few customers and could result in fines due to lack of compliance. For some organizations, these risks may be acceptable or the benefits of portable storage may outweigh the risks. However, for many environments, the risks are too high and mitigation steps should be taken.
Mitigate the risks of portable storage
Place an outright ban on the use of the devices. Of course this probably won't work all by itself unless your users are unlike users anywhere else in the world. However, in some organizations—i.e., government and financial institutions that handle extremely sensitive data—this might be a good first step.
Use a technical solution to prevent the use of the devices. You could, for example, simply disable the USB ports on the systems in your company. However, this measure would likely inhibit other necessary activity. An easier way is to prevent portable mass storage devices from being added to the system. Instructions for accomplishing this can be found in Section 3 of Microsoft's August 2005 publication entitled Guide to Preventing Information Leaks. Or, take a look at Microsoft Knowledge Base article 823732 for information about disabling the use of USB-based storage devices.
Consider a supported third-party software solution that allows use of the devices. VolumeShield allows your users to use portable storage devices but audits device usage.
Use encryption. If you need to use portable storage, consider the use of encryption software to protect the contents of the device. Now, you may ask what would stop a user from just bringing in an ordinary thumb drive and using it. An encryption project would have to be done in concert with the roll-out of something like VolumeShield. Further, the organization would have to assume the responsibility of distributing secure thumb drives to users that are "whitelisted" in VolumeShield and blocking all other devices.
Ease of use and the significant capacity of the hardware make unfettered use of portable storage devices a dangerous security problem for many organizations. You should start to implement policies for their use now and consider some of the technical solutions to securing your data from theft and loss.