Home » Data Protection » Network Security

Industry View

The Thumb-sucking Threat

Joe Wagner, senior vice president and general manager of Systems and Resource Management at Novell, explains the security implications of all those popular portable storage devices.

» add a comment

By Joe Wagner

Page 2

3.) They can bring unwanted or unauthorized programs onto the network.

4.) They are incredibly easy to lose!

The Great Enforcer

Knowing these threats exist, naturally the next question is,"What can a company do to prevent them from occurring?" Some companies have resorted to banning portable storage devices all together, while others have used glue guns to seal off their USB ports. Neither of these options is optimal, but something does need to be done. The following three steps can help a company protect its data from the thumbsucking threat:

Step One: Policy

The first step to maintaining protection is to establish clear policies for which devices are allowed and which are not. It's more effective to define and set policies rather than enforce blanket prohibitions. While some IT administrators may want to block portable storage devices completely, many organizations need more granular control over their USB ports. Using software, IT administrators can white-list specific devices, or make the devices read-only. They can also dictate which people or organizational roles can use portable storage devices, create exceptions to the rule, or permit USB access based on certain device serial numbers. This policy-based approach allows employees to use authorized portable storage devices without the threat of a malware attack or data breach.

Step Two: Enforcement

Once the policies are set, the next step is to actually enforce the security practices. It's not wise to set and forget policies or ultimately, users will find a way around the controls. IT organizations need an automated way to monitor the endpoints to make sure the set policies are being followed, and determine who is using these devices and which files have been transferred to them. In an age of increasing regulation and compliance, an enterprise must maintain an audit trail on user activity. With ongoing monitoring, this audit information can also help managers assess the risk if particular portable storage devices are lost or stolen.

Step Three: Encryption

Considering the primary goal is to protect data on these portable storage devices if they are lost or stolen, it is imperative to encrypt the data when it is written to these devices. While organizations need to ensure that all files copied to a storage device are encrypted, they also need to provide the ability for the data to be decrypted and shared with authorized parties. An automated policy-based approach to encryption adds another layer of security, without slowing down the business.

Keeping Secrets

Business is evolving with the mobile landscape - employees are working out of the office, on the road and from home. Portable storage devices can certainly enhance productivity in this mobile world, but it's crucial to recognize the potential security risks at hand. The best way to promote productivity and keep secrets safe is to define what employees can do with these devices, enforce corporate rules on usage, automatically encrypt information, and continuously monitor device use and transfers. These comprehensive, policy-based steps can help businesses protect themselves against the thumb-sucking threat.