It was only last month, that Jack Straw indicated the government’s desire to impose harsher punishments and even jail time for employees in organisations where data breaches occur, as a wake-up call to everyone who handles and stores sensitive data.
Now, as a result of the loss of an unencrypted USB memory stick that carried thousands of prisoners’ personal data, the Home Office has promised to encrypt all portable or mobile devices that carry data and will only work with contractors who will do the same.
What is significant about these developments is that they affect both private and public sector. The costs of a data loss have always been a huge deterrent for private enterprises.
It is not just the individual or their manager who pays for a breach, but the whole business suffers through law suits, bad publicity, loss of customer faith, and possibly even bankruptcy.
In the public sector the damage has been limited to embarrassment for the government and the affected department, and possibly compensation for those affected, but those implications have not been sufficient to force a radical change in behaviour in the handling and management of sensitive data and portable storage devices.
So, apart from creating some helpful PR for the government that it is “cracking down” on sloppy handling of private data, there is now strong motivation for organisations in private and public sectors to tighten their procedures.
What is clear is that whether by malicious intent or accidental loss, private sector businesses and governmental alike have few excuses when a data breach takes place.
Organisations need to investigate the numerous methods and solutions available that prevent such confidential data being lost and need to ensure that the right policies and permissions are in place, together with the right software, to permit only a select few to download data onto USB memory sticks and other removable storage devices.
The days when bulk transport of data was difficult due to slow communication links and the lack of high density storage media have long since departed – it has never been easier to intentionally or unintentionally misplace and lose data of all kinds.
Couple this surge in technology with the increased digitisation of all financial, personal and business records and it is perhaps surprising data breaches are not more common.
What can be done? Well, there are at least three approaches available:
First, there is the physical approach. This is not a joke – a number of highly sensitive agencies around the world physically disable the USB and other ports on laptops and desktops to prevent anything from being inserted. I spoke with one IT group who had a special mix of epoxy resin approved for use in USB ports to ensure they were fully decommissioned.
The downsides of this approach are obvious enough – there are legitimate reasons for using USB ports, for example plugging in an external mouse, and there will also be situations where a member of IT staff will need those ports to repair a PC.
It also does not cover the data leakage possible through burning a CD-R or DVD-R, or through Bluetooth, or other expansion slots (PCMCIA, CardBus).
Second, Windows’ built-in Group Policy technology provides a draconian on-off switch to prevent the use of all removable media being plugged into USB ports on managed PCs.
This is a software enforcement approach for data protection announcements like the recent U.S. Department of Defense’s declaration that all USB and removable storage devices have been effectively banned. Again, there are obvious shortcomings to this approach – there are other ways to remove data from a PC and this prevents legitimate use.
For example, the Marketing department need to use USB scanners and cameras, the Sales team are allowed to use company-approved USB devices that have built-in biometric authentication and are identified by their serial number, the IT group use removable storage for re-imaging damaged computers.
We recommend that IT organisations take a more balanced approach. A detailed security audit is first needed to identify exactly which devices are needed by which groups of customers, and to centrally create, manage and deploy those access policies onto every desktop so they are always resident and affect all users who connect to, or log on to, that computer.
Another key requirement is central auditing and tracking of all usage – both successful events and those which were denied by the security policy. This approach requires third-party software which provides a high level of granularity, combined with central policy management, deployment and collection of audit reports and events.
The best tools in this space let the administrator grant read and/or write access for relevant devices, let the administrator filter devices by manufacturer ID and serial numbers, and also cover much more than just USB ports, including Firewire, CD/DVD drives and card slots.
It is also important to provide control over USB storage devices without interfering with other USB devices such as scanners, keyboards, mice and other controllers.
The key challenge here is to ensure security and reduce risk without crippling productivity. The exact blend will vary from one organisation to the next, depending on the sensitivity of the data they hold as well as the level of separation between departments who handle that data.
It is important to use a solution which allows different policies to be applied by user, by group, or even by location and the class of device the user is using. For example, a user might be allowed to use USB devices in a low security zone which has no access to sensitive data, but when they move to a different terminal then the security policy should be very different.
This balanced approach provides IT departments with assurance that data is secure while also keeping end-users productive.
Jon Rolls is Vice President of Product Management, ScriptLogic Corporation