http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9069038 By Brian Fonseca March 17, 2008 Computerworld Security officials are issuing USB flash drives to workers in the state of Washington's Division of Child Support as part of a new security procedure established to eliminate the use of nonapproved thumb drives by workers collecting and transporting confidential data. The state has so far distributed 150 of 200 SanDisk Corp. Cruzer Enterprise thumb drives to unit supervisors in the division who manage collections teams in 10 field offices, said officials (see also "Review: 7 secure USB drives" [1]). Brian Main, the division's data security officer, said the new drives promise to help officials keep better track of mobile data by integrating them with Web-based management software that can centrally monitor, configure and prevent unauthorized access to the miniature storage devices. "We do periodic risk analysis of our systems, and one of the things that came up is the use of thumb drives -- they were everywhere," said Main. "We had a hard time telling which were privately owned and which were owned by the state." He also said that officials had difficulty keeping track of what data was stored on the workers' thumb drives. Main said the division plans to manage and back up the new drives using SanDisk's Central Management & Control server software, which will soon be installed at the division's headquarters in Olympia. The software, which relies on a Web connection to directly communicate with agents on the tiny flash drives, can also remotely monitor and flush any lost drives, he said. Each field office will run a copy of the software to handle localized management needs, he said. Officials in the division's training operations will get Cruzer Enterprise devices with 4GB of memory to store large presentations and screenshots. Enforcement personnel will get devices that store 1GB, Main said. Main said the division first looked at Verbatim America LLC's thumb drives in its effort to improve security but ultimately turned to the SanDisk technology because of its support for Microsoft Corp.'s Windows Vista operating system. Cruzer Enterprise provides 256-bit AES encryption and requires users to create a password upon activation. The device automatically deletes all of its content once someone has tried 10 times to access it using incorrect passwords. Main said the self-encrypting capability was removes the "human component" from managing confidential data, a key feature for the agency. The Division of Child Support collects about $700 million annually in child-support payments form noncustodial parents. The agency, part of the state's Department of Social and Health Services, manages 350,000 active child-support cases annually, noted Main. Sensitive data transported by off-site workers includes tax documents, employer records, criminal histories and federal passport data of some agency clients, Main said. At the least, he noted, the drives include the names, dates of birth and Social Security numbers of children serviced by the agency. The state began rolling out the Cruzer drives late last year after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change. Most companies are too enamored of the convenience, portability and low cost of USB flash drives to consider their threat to security, said Larry Ponemon, chairman of Ponemon Institute LLC, a Traverse City, Mich.-based research firm. "I think a lot of organizations are asleep at the switch. They don't see this as a huge problem, and it obviously has the potential to be the mother of all data-protection issues," said Ponemon. "A lot of organizations believe if you have a good [security] policy and you educate people and ask them to be good, that's sufficient. The reality is, thumb drives create a lot of uncertainty because they contain enormous an amount of information." A December 2007 survey of 691 IT security practitioners by Ponemon Institute asked respondents if they believed most employees would report a lost laptop or memory stick. While 78% said that employees would likely notify IT about a lost laptop, only 25% expected that workers would report a lost USB flash drive. "The general perception is no one will report a lost USB memory stick because they're so cheap -- and the embarrassment factor. It's hard to even know all the different instances where information [on them] is lost or stolen," remarked Ponemon. The agency is in talks with ControlGuard to deploy the security provider's Endpoint Access Manager Server and Endpoint Agents across its network. Access Management Server sends security policy information from a central location to agents installed at specific data points to enforce protection and monitor activities. Main said the technology would allow his office to restrict authentication and control data output access on PCs, hard drives and printers. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9062527 ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Mar 18 2008 - 22:13:42 PST