State agency moves to plug USB flash drive security gap

Security officials are issuing USB flash drives to workers in the state of Washington's Division of Child Support as part of a new security procedure established to eliminate the use of non-approved thumb drives by workers collecting and transporting confidential data. (Compare Data Leak Protection products)

The state has so far distributed 150 of 200 SanDisk Cruzer Enterprise thumb drives to unit supervisors in the division who manage collections teams in 10 field offices, said officials.

Brian Main, the division's data security officer, said the new drives promise to help officials keep better track of mobile data by integrating them with Web-based management software that can centrally monitor, configure and prevent unauthorized access to the miniature storage devices.

"We do periodic risk analysis of our systems and one of the things that came up is the use of thumb drives -- they were everywhere," said Main. "We had a hard time telling which were privately owned and which were owned by the state." He also said that officials had a difficult time keeping track of what data was stored on the workers' thumb drives.

Main said the division plans to manage and backup the new drives using SanDisk's Central Management & Control server software, which will soon be installed at the division's HQ in Olympia. The software, which relies on a Web connection to directly communicate with agents on the tiny flash drives, can also remotely monitor and flush any lost drives, he said.

Each field office will run a copy of the software to handle localized management needs, he said.

Officials in the division's training operations will get Cruzer Enterprise devices with 4GB of memory to store large-sized presentation and screenshots. Enforcement personnel will get devices that store 1GB, Main said.

Main said the division first looked at Verbatim America's thumb drives in its effort to improve security, but ultimately turned to the SanDisk technology due to its support for Microsoft's Windows Vista operating system.

Cruzer Enterprise provides 256-bit AES encryption and requires users to create a password upon activation. The device automatically deletes all of its content once 10 efforts to access its content are denied due to the use of incorrect passwords. Main said the self-encrypting capability was removes the "human component" from managing confidential data, a key feature for the agency.

The Division of Child Support collects about $700 million per year in child-support payments form non-custodial parents. The agency, part of the state's Department of Social and Health Services, manages 350,000 active child support cases annually, noted Main.

Sensitive data transported by off-site workers includes tax documents, employer records, criminal histories and federal passport data of some agency clients, Main said. At the least, he noted the drives include names, dates of birth and social security numbers of children serviced by the agency.

The state began rolling out the Cruzer drives late last year after recalling the thumb drives used by workers. Most were purchased independently by the workers, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change.

Most companies are too enamored with the convenience, portability and low cost of USB flash drives to consider their security threat, said Larry Ponemon, chairman Ponemon Institute LLC, a Traverse City, Mich.-based research firm.

"I think a lot of organizations are asleep at the switch. They don't see this as a huge problem and it obviously has the potential to be mother of all data protection issues," said Ponemon. "A lot of organizations believe if you have a good [security] policy and you educate people and ask them to be good that's sufficient. The reality is thumb drives create a lot of uncertainty because they contain enormous an amount of information."

A December 2007 survey of 691 IT security practitioners by the Ponemon Institute asked respondents if they believed most employees would report a lost laptop or memory stick. While 78% said that employees would likely notify IT about a lost laptop, only 25% expected that workers would report a lost USB flash drive.

"The general perception is no one will report a lost USB memory stick because they're so cheap -- and the embarrassment factor. It's hard to even know all the different instances where information [on them] is lost or stolen," remarked Ponemon.

The agency is in talks with ControlGuard to deploy the security provider's Endpoint Access Manager Server and Endpoint Agents across its network. The Management Server sends security policy information from a central location to agents installed at specific data points to enforce protection and monitor activities. Main said the technology would allow his office to restrict authentication and control data output access on PCs, hard drives and printers.

Learn more about this topic


This story, "State agency moves to plug USB flash drive security gap" was originally published by Computerworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.