|March 14, 2005||
by Magnus Ahlberg, Managing Director, Pointsec
|See also:-||Fast Purge SSDs |
Adding Trust to Storage Drives
Data Recovery from Flash SSDs?
the Solid State Disks Buyers Guide
Sanitization Methods for Cleaning Up Hard Disk Drives
Privacy and Security Regulations, and How they Impact Storage Systems
|Editor's intro:-||In the early James Bond films of the 1960s, viewers were introduced to an array of implausible (at the time) portable high tech spy gadgets. Nowadays we know from our own everyday experience that something the size of a cigarette lighter can actually be a video camera with its own wireless internet access. The proliferation of miniature high capacity storage devices creates a serious problem for commercial and national security. This article provides an up to date picture of the intrinsic dangers.|
|The rise of the mobile
data market has been rapid, lucrative and dangerous. Long gone are the days when
you needed identical tape
drives and software on both computers. The traditional floppy disk market
and local tape markets were superseded by the super-floppy and zip drive. Now
even they are disappearing as the mobile data storage market evolves.
Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You've only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it's the obvious way to store information, business proposals, accounts, client's details, marketing plans etc
The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.
|Here are 10 things you probably
don't know about this market.
| If this doesn't scare you then
you clearly are not responsible for looking after corporate security.
Here are some facts about corporate data:
|Think about how easy it would
be to remove your corporate data. During the 1980's the fear was that people
would be able to save the customer or company price lists onto a floppy disk and
take it to their next employer. Today, they can not only take that information
but also your entire customer database showing purchasing prices and
history on a single device.
The advent of fast Internet access in the office meant that employees used the company network to download files. Increasingly, that has meant people pulling down illegal content as well as installing peer-to-peer networks on their desktop computer. With P2P installed, they can move files between the office and home on CD, DVD or other removable media. The danger to the corporate network is that file sharing through P2P exposes the company internal structure.
Preventing people bringing devices and media into the office is an extremely difficult problem. Look at the physical size of much of this media and it's easily missed in a pocket, briefcase or handbag. Short of instituting an invasive and very workforce unfriendly search policy, keeping devices out of the company is virtually impossible.
|The solution then, appears to
be one of management. The first step here is to decide on what you can and
cannot enforce. Remarkably, few companies actually realise how limited their
powers actually are, especially with respect to current privacy and human rights
For example, preventing employees from bringing their MP3 player to work and then using it during lunchtime would require draconian terms of employment that are almost certainly illegal. Companies that have tried similar experiments with regard to camera phones have found it hard to police and enforce.
What you can do, however, is ensure that all members of staff are aware that their employment does not allow the connection of non-company devices to their computers or other peripherals. This means banning people from downloading their photos to that nice colour printer. No swapping music with the person who sits next to you if that means connecting to the computer and using it as a transfer point.
Administrators need to create security solutions that log the amount of data that a user downloads. It is already acceptable to search an employees hard disk for illegal files but few companies do this. Nightly sweeps of hardware to find MP3, WMA, JPG and other file extensions would seem a simple thing. Unfortunately, all of these formats have legitimate work uses and are often used by software packages for saving business files.
|If you are to allow data to be
transferred over removable media then you should consider how to secure it.
There are several vendors with encryption solutions in the market. All of them
have different advantages but whatever you choose should have a minimum set of
Files need to be self contained as an executable where the level of encryption is still high enough to thwart all but the most extensive brute force attack. There are products that fall into this category and they are worth finding and deploying in order to minimise the risks. One possible solution it to ensure that you encrypt everything that is downloaded from a computer onto any removable media.
Your corporate data has never been so insecure. The ease with which is can now be removed from the office surpasses anything in history. There are approaches that you can use but they must encompass protection of content and system management simply banning devices will not work.
Remember, we are now in a world where almost every month a new piece of regulation over data protection and access appears. If you don't sort this out now, they regulator will simply fine you extensive amounts of money and you'll still have the problem. ...Pointsec profile
|STORAGEsearch is published by ACSL|