For all of their productivity, these devices can also pose an inherent risk; take the recent case of data theft at Pfizer. Confidential information such as names, addresses, positions and salaries of over 13,000 employees is at risk for exposure after a laptop and flash drive were stolen. This is the sixth time Pfizer has publicized a breach in the past year.
Whether done inadvertently or deliberately, entire databases of financial and health information, corporate contacts, or trade secrets can be downloaded rapidly onto a removable media device. The financial losses associated with sensitive data falling into the wrong hands can be staggering, not to mention the stiff fines for noncompliance and the loss of corporate reputation.
In addition, these devices can also introduce viruses or malicious code into a company’s IT system. In the wake of the prolific use of removable media, IT administrators have taken steps to neutralize the threat, such as determining all media that has ever connected to corporate endpoints, establishing a clear written policy, deploying a solution to enforce the policy, and auditing and reporting on activities as they relate to the policy.
The following four strategies will help enterprises mitigate risks without limiting productivity:
1. Employ a third-party endpoint data leakage prevention solution
One tool to help manage the threat of portable storage devices is to employ an endpoint data leakage prevention solution that gives administrators control over what devices are in use, visibility as to when they have been used and by whom, and knowledge of what data has been copied. The most effective endpoint security solutions allow administrators to actively manage user access and log the activity of media players, USB drives, memory cards, PDAs, mobile phones, network cards and more. These endpoint security solutions also permit administrators to centrally disable users from accessing portable storage media, preventing users from stealing data or bringing in data that could be harmful to your network, such as viruses, trojans and other malware.
2. Encrypt everything
Because data can be stored in USB devices and external storage cards such as Secure Digital/Multimedia Cards (SD/MMC), CF cards and PC storage cards, administrators should encrypt all communications and data, including email, file transfers, hard drives, external storage and removable media.
Removable media encryption allows an enterprise to ensure that any data taken outside its own managed environment is protected. It is a simple solution to a complex threat, and a solution model that can be applied to flash drives, digital cameras, PDAs, MP3 players, smartphones or any other type of removable device.
This safeguard can also restrict access to a computer’s available ports. Available encryption software is capable of implementing authorization standards that allow only the copying of designated files onto removable media and automatically encrypting data residing on these devices using AES 128/256-bit encryption.
If data is encrypted, it cannot be read by any unauthorized user in the case of loss or theft. Most removable media encryption products can be configured to prevent access to all devices except those that have been explicitly signed and added to a list of authorized devices by the system administrator. Data on an encrypted portable storage device can be read on a machine that is running removable media encryption software and is installed with the correct encryption key. To any other computer, the device appears to be unformatted and any data it contains is inaccessible. Some products may require a password in order to access the device.
3. Use digital rights management (DRM) technology as part of a wider protection strategy
Digital rights management is crucial to those enterprises where intellectual property is of vital importance. This refers to technology for protecting files via encryption and allowing access to them only after the user or device requesting access has had its identity authenticated and its rights to that specific type of access verified. DRM protection is persistent because it remains in force wherever the content goes; in contrast, a file that sits on a server behind the server’s access control mechanism loses its protection once it is moved from the server. In addition, DRM technologies ensure that content is secured both behind, as well as beyond, the corporate firewall. Not only can the content be protected during the production process, its copyright, licensing, reproduction and specific conditions follow the content throughout its use-cycle.
4. Coordinate DRM and Content Management Systems
Various types of corporate enterprises, including large corporations, government agencies and others, adopt content management systems (CMSs) to help them organize digital content and create content-based products for their customers, employees and partners. CMSs are intended to be control centers for entire content lifecycles, including content creation, management, production and distribution.
Integrated DRM-CMS solutions provide enterprise-wide assurance that content and document operations comply with current regulatory regimes, accountability, privacy and security legislation. Tracking submissions to government bodies is of particular importance to businesses operating in a regulatory environment, which is subject to change. By using an integrated system, compliance can be mandated within a short timeframe with significant consequences for not being able to meet new, and often more stringent, regulatory or administrative standards for business operations.
When effectively combined, DLP, encryption, DRM and CMS technologies provide a virtually fool-proof system for avoiding the perils of data theft and leakage and malware introduction. As the mobile and remote workforce increasingly becomes the norm, today’s enterprises must strive to meet the challenge of data leak prevention or risk turning off-site productivity into big-time losses.
Gil Sever is founder and chief executive officer of Safen. Before Safend, Gil served as COO of ECTEL, a provider of monitoring solutions for IP, telephony and cellular networks. He also held the position of Israel Site Manager and VP R&D for Aeroscout (formerly Bluesoft), a company focusing on WiFi and Bluetooth location finding.