Jul 29, 2005 (11:07 AM EDT)
Reducing The Data-Theft Threat From USB Memory Sticks

Read the Original Article at InformationWeek

Businesses constantly struggle between giving workers easy access to applications and information, and clamping down on access to ensure tight security. As new technologies make it easier to download and walk off with a company's crucial data, that challenge becomes more difficult. For many companies, the latest threat is USB memory sticks, small storage devices that can hold lots of data and easily be hidden in pockets, purses, or briefcases.

For the past two years, Martin, Fletcher & Associates, a medical staffing firm, has dealt with the USB memory-stick threat by banning their use. For VP of IS Fabi Gower, the information on job openings and job candidates collected by the company is crucial, and she does everything she can to reduce the opportunities for someone to steal that data. Hence the USB memory-stick ban.

"We had policies in place to lock down floppy drives and CD burners," she says, "but I could not find a feasible way to lock down our USB ports. The issue is that we don't care to have data walking out the door in somebody's pocket."

After two years of looking for something that could monitor and manage the use of USB memory sticks, Gower recently found an endpoint security program that has caused the company to reconsider its prohibition on the use of the devices. She has been testing Sanctuary Device Control 3.0 from SecureWave, which monitors every USB port on a network or on computers attached to the network and lets IT managers set policies to manage the use of USB portable storage devices.

"We want to stay ahead of employees lifting proprietary data on USB memory sticks," Gower says. "Device Control picks up on the actual device. From any USB port on the network, the software will identify the memory stick."

The latest version of the security software adds an integrated rules engine that can be used to set policies for applications and devices, giving an IT manager greater control and more-flexible management capabilities. It also includes location-based policy enforcement so administrators can set policies based on whether the memory stick is being used inside or outside the corporate network. It also includes enhanced policy-management features that will let Gower better monitor network-usage patterns and monitor how her administrators are enforcing policies. The new software will be available Aug. 1 at a price of $45 per user.

Gower wants to establish some new policies before she lifts the ban on USB memory sticks. First, she intends to allow the use of only one type of memory stick. She hasn't yet decided which one. Employees must seek permission to use a memory stick to store data. Such a request will have to be approved by the company's top management, and usage will be allowed for only a limited period of time. In addition, Gower plans to encrypt the data on the stick so it will be useless to anyone who steals one.