IT Compliance Institute, November 15, 2005:

Expert Q&A

When Data Walks: Safeguarding Portable Media

When cell phones have 40 GB hard drives and data breaches can cost millions of dollars, should organizations that handle sensitive information restrict the use of removable storage?

Should organizations in regulated environments control employees’ use of removable media? In general experts say that Sarbanes-Oxley (SOX) and HIPAA are more concerned with regulating access to information, not how it’s transported. So, there’s no requirement to keep an eye on employees’ MP3 players, iPods, flash cards, or other storage devices.

Still, with more states now mandating companies disclose any information breaches involving residents’ personal information, and with those breaches costing—according to the Ponemon Institute—an average of $13 million each, more companies are keeping data encrypted on all of their mobile devices. To learn more, we talk with CEO Peter Larsson and vice president of global marketing Bob Egner, of Pointsec Mobile Technologies, a provider of mobile device encryption solutions.

With mandatory disclosure laws, such as California’s SB 1386, if lost or stolen information is stored in an encrypted format, are companies waived from having to notify customers?

Larsson: That’s correct. You now have a [similar] law in, I think, almost 15 states in the United States, and that’s why we can see companies trying to [better encrypt] their data.

We have had customers show us how much it costs them to go out to a customer, inform them about the breach—operational costs, sending out letters, informing customers—and the costs are overwhelming. Then if you also add on the costs to the brand, the push to protect mobile devices makes sense. …

Anecdotally, which regulations do customers tell you they’re trying to comply with?

Larsson: HIPAA and SOX. But those regulations are mostly about controlling access to the information. However if you think about what that means, if you lose a device and have not encrypted that device, of course you have lost control of the access to that information.

Do either HIPAA or SOX mandate encryption?

Larsson: If you read the regulations, you will not find words saying “you must encrypt.” But I think if you read into the intentions of the regulations, then for mobile devices, removable media sticks, and other media we have, we need to do something about them, because if you lose control of them, you no longer have control of access. [So] one way to control access is by encrypting data.

How can organizations control whether sensitive information is being stored on removable media?

Larsson: What we recommend—and think is the right way—is not limiting the use of that media. People are using them because they’re useful. So our recommendation is to have a solution that automatically protects the information you store on any removable media or USB drive. And that can be done.

If you automatically encrypt anything stored on a removable drive, what happens if a user plugs the drive into another computer?

Larsson: We provide a self-extracting tool that [gets automatically] put on the USB drive, so it can be plugged into any computer, as long as you have the password to open it. Or you can also store the [retrieval] software on the [PC or laptop].

To what extent do users have to manage this?

Larsson: We decided immediately that this cannot be up to the user. It has to be transparent, so they don’t have to think about taking the USB key and remembering the password. [And if necessary,] in a central way, users can be helped back to the password—through recovery. …

We have different remote-help solutions. In terms of deployment, we work with all the different management systems out there—SMS from Microsoft, or Altiris, Unicenter. It doesn’t really matter.

What about outsourced IT environments?

Egner: From an outsourced environment standpoint, you don’t want to have to go do background checks, or worry about the integrity of the help desk personnel, because in many cases, they’re high-turnover personnel. …[So] we’ve allowed…those help desk personnel or administrators to reset the passwords or help people through, without having access to the information.

Larsson: For example, if you forget your password, you can call the help desk. Maybe you get to a guy in India. He can help you get access to your password…[through] a challenge-response procedure where [the help desk asks you a question;] you, the user, give a response; and the help desk gives you your password. Doing that ensures there’s no master password to access your information.

In general, are companies that adopt your encryption technology protecting just laptops, or all portable devices and removable media?

Larsson: It’s a mix. Some companies decide to go with just laptops. …A lot of companies realize the most important thing they want to protect against is theft and loss of mobile devices. Yet there are other things to consider when it comes to workstations, such as end of life. What do you do when [a device] comes to the end of [its] life? Destroy it? If you’ve encrypted the data, you don’t need to do anything. You can just donate [the device] to your local high school.

What about protecting other mass-storage devices?

Larsson: There’s also an interesting trend in the smart phone space. For example, one from Samsung has a 20-Gbyte hard drive included in it. It’s kind of the iPod effect moving into the smart phone space; and the greater the capacity to store information, the greater chance you’ll have sensitive information get on it, whether [intentionally] or inadvertently. And the more that happens, the more it presents a risk to the company.

So portable hard drives will often get filled with corporate information?

Egner: If you’re familiar with the concept of iPod slurping—the idea that you pull a lot of information off your computer to take with you—[such devices] basically take on the form of portable storage. Now the same situation is starting to enter the market, as these smart phones have hard disks included in them.

Larsson: Right. For example, I’m personally using a smart phone from Nokia where I get all my e-mails, and the attachment comes out to the phone. And I can read PDFs and spreadsheets, and it has a pretty good screen.

Beyond smart phones, can you encrypt data on iPods?

Larsson: Not yet. However if you have our removable media solution, you can restrict them. The thing with an iPod is it’s not a pure USB storage device, though it is an interface that we can recognize [and restrict].

Egner: The security policy that’s included with our Pointsec media encryption [software] lets you define how much information you’ll lock out: writable CDs, or USB, MP3 players, or whatever you need to lock out.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.