By Deni Connor
When Starbucks earlier this month revealed it couldnt find four laptops
containing data on thousands of employees, IT administrators everywhere
once again were forced to ask themselves: Whats our policy on protecting
data on mobile devices?
The seemingly never-ending string of high-profile data loss cases from
Los Alamos National Laboratory to Allina Health to U.S. Veterans Affairs
is pushing more organizations to encrypt data on such devices as laptops
and USB flash drives, and establish associated security policies.
We do have policies specific to laptops that fall under our Mobile
Device Policy, says Tom Gonzales, senior network administrator for the
Colorado State Employees Credit Union in Denver. The organization has
codified a policy for securing laptops, disk drives, USB flash drives
Gonzales describes the policy this way: USB ports are disabled using the
Cisco Security Agent, so only certain people such as IT can write to
flash drives. We usually dont encrypt the entire drive on users laptops,
but do provide secure storage areas so that end users can just save the
files to that location and they will always be encrypted. Our desktop
PCs dont have floppy drives or CD-ROM writers.
The reason that companies are going to these extremes is clear: Data
loss is costing them lots of money. The Ponemon Institute suggests each
incident costs about $4.7 million $182 per record. Using these numbers,
the incident at Starbucks put as much as $10.9 million of data at risk
(Starbucks said in a press release it is not sure what became of its
laptops but has seen no evidence that data has been misused.)
Given the sensitive nature of security policies, some IT and network
professionals are reluctant to discuss their policies regarding data
protection on removable storage devices and mobile gear.
Policy prevents me from answering most of your questions so I should
probably decline, says Ken Walters, senior director for enterprise
platforms at the Public Broadcasting Service in Alexandria, Va. My
personal feeling is that we need some easy way to encrypt all data
leaving the building and a mechanism that allows only the authorized
employee to see it.
For Lenny Goodman, director of desktop management for Baptist Memorial
Hospital in Memphis, Tenn., protecting data on laptops, flash drives and
other removable media is an everyday experience that started with the
hospitals adhering to the Health Insurance Portability and
Compliance is a supposed to approach to managing the enterprise, whereas
it infers best practices the things we should do whether we want to be
compliant or not, Goodman says. Encryption is a should do thing.
Goodman protects the data stored on USB flash drives with software from
Safend that identifies when a USB drive is connected to the network and
lets IT set policies that allow or disallow their use.
Like all organizations, we have discovered rather prolific use of
inexpensive, plug-and-play thumb drives, Goodman says. We didnt provide
them, but that didnt stop our users from taking advantage of the
technology. When you start seeing 1GB thumb drives available at Target
or in a Sunday newspaper brochure, you know that they are going to show
up in the enterprise, and whether there is malice or not, its something
the enterprise has to address.
Goodman wrote a policy for managing flash drives, identified the flash
drives in use at his organization and replaced them with Kingstons
DataTraveler Secure flash drives. The Safend software recognizes only
the Kingston drives and disallows others.
Where there was a legitimate business need for removable storage, we
provided a solution that had password protection and nonoptional
encryption, he says.
At Baptist Memorial Hospital, as many as 6,000 desktops and 100 laptops
are protected with the Kingston/Safend combination.
We are encrypting hard drives, he says. On our older PCs, weve disabled
the diskette drives through group policy. We do not have CD burners.
Users that bring in CD burners are detected through our endpoint
A more flexible approach
Other IT professionals are less concerned with laptop and USB security,
saying they leave the decision to encrypt data or password protect it up
Jeff Mery, system administrator for an instrumentation and test
equipment manufacturer in Austin, Texas, says controlling removable
media such as flash drives is nearly impossible in his environment.
The main reason is the vast majority of our users are engineers that
have very valid business reasons for using USB and CD-ROM media in their
day-to-day jobs, he says, adding that he is considering drive encryption
for desktop and laptop users. Whole-drive encryption is one reason were
looking at Microsoft Windows Vista and its BitLocker technology, he
says. Users can currently encrypt data they feel needs it, but BitLocker
will allow us to transparently encrypt the entire disk. Users wont have
to remember to encrypt or whats been encrypted.
For Dominic Marcinelli, vice president of IT at Rackable Systems in
Milpitas, Calif., laptop users default configuration is a home directory
located on a network drive. When users connect with the network, data is
synchronized, enabling automated backup.
Marcinelli, like Mery, doesnt have a policy for USB drives or CD-ROMs.
We do ask that users use their best judgment, he says. We do have
policies for PDAs if a PDA falls out of someones pocket in New York, we
want to be able to remotely erase its contents. Marcinelli relies on
passwords to protect laptop contents and is looking to implement
encryption by year-end.?
All contents copyright 1995-2006 Network World, Inc.
Subscribe to InfoSec News