The Drive for Data ProtectionBy Andrew Garcia | Posted 04-16-2007
Not finished with updating your organization's payroll for the day? No problemjust save the documents to a USB thumb drive, drop the drive in your briefcase, stick it in one of your family PC's USB slots and finish up in the comfort of your own home.
But wait. Your kids were downloading some cool IM (instant messaging) icons, and now your home PCand the USB devices connecting to itare infected with a virus. Or, you thought you had stuck the USB drive in your briefcase. Or was it your pocket? In any case, where the heck is the drive?
Yes, it's easier than ever to take the data and runa blessing for many users, but a curse for administrators charged with securing company information.
Employees need access to data to do their jobs, but IT implementers and corporate executives need to weigh the productivity benefits of allowing users to take data home against the security implications of private data lost via a rogue or misplaced device. eWEEK Labs recommends that companies not allow unfettered usage of portable storage devices with corporate machines.
However, the knee-jerk reaction of gluing employees' USB ports shut can hamper productivity significantly, because those ports could be used for card readers, digital signature devices and VOIP (voice over IP) handsets, among many other devices and functions.
Rather, we recommend the establishment of written data-handling policies, backed by policy-based security controls and accountability via reports and logs to ensure against data loss.
Microsoft's Windows XP provided the bare-minimum protection against device-borne data loss, but required some creative workarounds to get going. Windows Vista promises more granular controls to block device installation, plus read or write behavior blockingalbeit with some odd and unfortunate dependencies.
But the operating system is not the place to look for the current utmost in protection against accidental data loss, and oversight over and privacy for data that is permitted to be copied to devices, and proof of action for audit and compliance purposes. For these types and levels of protection, companies need to look to third-party solutions.