By Brian Fonseca
March 17, 2008
Security officials are issuing USB flash drives to workers in the state
of Washington's Division of Child Support as part of a new security
procedure established to eliminate the use of nonapproved thumb drives
by workers collecting and transporting confidential data.
The state has so far distributed 150 of 200 SanDisk Corp. Cruzer
Enterprise thumb drives to unit supervisors in the division who manage
collections teams in 10 field offices, said officials (see also "Review:
7 secure USB drives" ).
Brian Main, the division's data security officer, said the new drives
promise to help officials keep better track of mobile data by
integrating them with Web-based management software that can centrally
monitor, configure and prevent unauthorized access to the miniature
"We do periodic risk analysis of our systems, and one of the things that
came up is the use of thumb drives -- they were everywhere," said Main.
"We had a hard time telling which were privately owned and which were
owned by the state." He also said that officials had difficulty keeping
track of what data was stored on the workers' thumb drives.
Main said the division plans to manage and back up the new drives using
SanDisk's Central Management & Control server software, which will soon
be installed at the division's headquarters in Olympia. The software,
which relies on a Web connection to directly communicate with agents on
the tiny flash drives, can also remotely monitor and flush any lost
drives, he said.
Each field office will run a copy of the software to handle localized
management needs, he said.
Officials in the division's training operations will get Cruzer
Enterprise devices with 4GB of memory to store large presentations and
screenshots. Enforcement personnel will get devices that store 1GB, Main
Main said the division first looked at Verbatim America LLC's thumb
drives in its effort to improve security but ultimately turned to the
SanDisk technology because of its support for Microsoft Corp.'s Windows
Vista operating system.
Cruzer Enterprise provides 256-bit AES encryption and requires users to
create a password upon activation. The device automatically deletes all
of its content once someone has tried 10 times to access it using
incorrect passwords. Main said the self-encrypting capability was
removes the "human component" from managing confidential data, a key
feature for the agency.
The Division of Child Support collects about $700 million annually in
child-support payments form noncustodial parents. The agency, part of
the state's Department of Social and Health Services, manages 350,000
active child-support cases annually, noted Main.
Sensitive data transported by off-site workers includes tax documents,
employer records, criminal histories and federal passport data of some
agency clients, Main said. At the least, he noted, the drives include
the names, dates of birth and Social Security numbers of children
serviced by the agency.
The state began rolling out the Cruzer drives late last year after
recalling the thumb drives used by workers. Most of those had been
purchased independently by the employees, causing myriad problems for
security personnel, Main said. The new policy requires workers to use
the drives supplied by the agency. Main said he eventually plans to
destroy all existing thumb drives collected as part of the security
Most companies are too enamored of the convenience, portability and low
cost of USB flash drives to consider their threat to security, said
Larry Ponemon, chairman of Ponemon Institute LLC, a Traverse City,
Mich.-based research firm.
"I think a lot of organizations are asleep at the switch. They don't see
this as a huge problem, and it obviously has the potential to be the
mother of all data-protection issues," said Ponemon. "A lot of
organizations believe if you have a good [security] policy and you
educate people and ask them to be good, that's sufficient. The reality
is, thumb drives create a lot of uncertainty because they contain
enormous an amount of information."
A December 2007 survey of 691 IT security practitioners by Ponemon
Institute asked respondents if they believed most employees would report
a lost laptop or memory stick. While 78% said that employees would
likely notify IT about a lost laptop, only 25% expected that workers
would report a lost USB flash drive.
"The general perception is no one will report a lost USB memory stick
because they're so cheap -- and the embarrassment factor. It's hard to
even know all the different instances where information [on them] is
lost or stolen," remarked Ponemon.
The agency is in talks with ControlGuard to deploy the security
provider's Endpoint Access Manager Server and Endpoint Agents across its
network. Access Management Server sends security policy information from
a central location to agents installed at specific data points to
enforce protection and monitor activities. Main said the technology
would allow his office to restrict authentication and control data
output access on PCs, hard drives and printers.
Subscribe to InfoSec News