The Portable Risk of High Capacity USB Drives

t2-2gb_closed_130.jpgI was recently leading a session for the Panorama Capital CIO Council, a group of about 25 Fortune 500 CIOs with which we meet twice a year, when the topic of securing enterprise data arose. The CIOs were not, however, talking about data security that can be solved by using products like firewalls, spam filters, malware gateways or data loss prevention appliances.

Instead, the hot topic was the security risk of data leaving the enterprise via portable USB disk drives shoved into workers’ pants pockets. USB disk drives are a cheap and convenient way to move data off your computer — much easier than taking a laptop or hard disk drive. They are also the fastest and surest way to give a CIO a security headache.

Today, USB disk drives of up to 16 gigabytes in size are available. That size will undoubtedly grow over the next few years; some predict they’ll reach at least 128 gigabytes, larger than the hard disk size on many of today’s laptops. That’s a lot of documents, spreadsheets, presentations and other confidential data walking around on keychains and in backpacks and laptop cases.

The size of USB disk drives, however, is not what sends shivers down the spines of the CIOs on our council, but the fact that a vast majority of these drives will be totally unsecured, open and accessible to anyone who happens upon them. The number of potentially risky scenarios that come to mind are suddenly endless, among them employees that load their disk drive in order to take their work home, police officers that transfer files from a laptop in a patrol car to the station house, lawyers who transfer case documents, and so on. To make matters worse, some of the newer USB disk drives, such as the Sandisk Cruzer, can hold not just a user’s files but their entire workspace environment.

A number of remedies to this security concern are now entering the marketplace but none of them, according to our CIOs, are yet in widespread use. Devices such as SafeBoot PortControl (recently acquired by McAfee) and DeviceLock prevent access by disabling the physical USB ports altogether. Microsoft is apparently developing a similar technology, one that will allow for Active Directory entries to restrict USB devices on a per-user and group basis. These methods may prove an effective, albeit Draconian, way of solving the problem.

Another remedy is to require a password to access the USB disk drive. But passwords are a notoriously weak security mechanism that require user diligence and maintenance, something not commonly seen in the real world. Further, due to corporate governance and compliance issues, CIOs are looking to secure data using at least two-factor authentication. Even the Executive Office of the President wrote a memo last June requiring two-factor authentication for remote access of information, including data contained on portable storage devices.

The encryption of data on a USB disk drive appears to be the next wave of security coming to these devices; Kingstons DataTraveler Secure Privacy Edition and Ironkey seem to have good products in this area. But this mechanism alone does not satisfy the two-factor authentication requirement. Ironkey is also working to solve the two-factor authentication issue using their USB disk drives combined with their online services.

Are you involved with securing your corporate data and if so, are you worried about the insecurity of USB disk drives and how their use can bypass all of the corporate security that you have worked so diligently to put in place?

Allan Leinwand is a venture partner with Panorama Capital and founder of Vyatta. He was also the CTO of Digital Island.