USB drives and the enterprise
Agencies are catching up with these tiny storage devices' big security issues
- By John Rendleman
- May 19, 2007
GCN illustration by Sam Votsis
USB flash drives are, in a nutshell, nifty. They're small, useful, portable, reliable, durable and flexible - not to mention economical, fast and good at storing large amounts of data.
The devices are also extremely popular and becoming more so as more computer users apply the technology.
An impressive number of USB flash drives are already in use, and that number is expected to grow, raising concerns about enterprise security.
Nearly 150 million of the devices will be sold in the United States this year, according to market research by Gartner Dataquest. That's just six years after the first USB flash drives appeared in the United States. Consumers embraced the drives from the start, and the market took off in earnest in 2001, when 1 million were sold, said Joseph Unsworth, Gartner's principal analyst covering NAND flash memory, the technology underlying USB flash drives.
Sales of USB drives will grow about 25 percent a year during the next several years, according to Gartner, with annual sales expected to surpass 220 million units in 2010.
The general public accounts for the bulk of USB drives sold, however, and consumers will continue to buy the vast majority of them, according to Gartner Dataquest.
Developers designed the USB drives for individual users, but the technology has altered the computing landscape for enterprise customers, too, because the drives' portability encourages users to introduce them into new environments.
Unsworth said the public buys roughly 70 percent of all USB drives sold, with 23 percent purchased by large enterprises in business and ' to a lesser extent ' government. Government agencies in the past year or two probably bought only about 5 percent of all USB drives, but that's after years of not buying any, he said.
Even so, the devices found their way into government systems ' thanks to their popularity, extreme portability and variety of uses. The drives have been quietly infiltrating government offices in increasing numbers as workers bring their personal drives to the office and connect them to their employers' systems.
The steady penetration of USB drives into the government continued largely unnoticed until about 2005, when the sheer number of drives connected to government computers forced agency leaders and information technology administrators to look at how to incorporate them into enterprise systems.
'That's when the use of USB drives really'gained enough momentum that government agencies and large companies realized that USB drives had become an issue with risks ... they would have to manage,' Unsworth said.Risky business
According to security experts, connecting just one unauthorized device to a computer network can be extremely risky.
'That's going to create a problem, and the issue is the viruses and other security threats that they introduce to the network environment,' in addition to the risk of data theft or the accidental disclosure or loss of valuable or confidential information, said Mike Hager, enterprise security adviser at Unisys.
To reduce that risk, large business and government customers need to have an acceptable-use policy governing authorized devices that can be connected to their networks, coupled with security and management software to detect, prevent and monitor vulnerabilities.
Most of the security risks and vulnerabilities introduced by USB drives are because of limitations in the original design of the drives, which initially lacked security and management features because they weren't meant for corporate or government use, said Nimrod Reichenberg, head of enterprise solutions marketing at USB drive vendor SanDisk.
'Companies and the government realized that this [was] something they had to deal with if they wanted to take advantage of the technology,' Reichenberg said.
Several government agencies have seen firsthand the potential damage that can result from losing or misplacing sensitive data. The Veterans Affairs Department drew the most attention from the May 2006 loss of a single laptop PC containing sensitive information on 26.5 million individuals. The notebook was recovered, and the data had not been tampered with, but VA is still feeling the effects.
VA enacted strict new rules in April in an attempt to significantly reduce workers' use of USB drives and cut the agency's risk of loss or misuse of the devices. VA now permits only approved drives that comply with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2 for encrypting data and have a maximum capacity of 2G. Employees also must explain why they need to use the drive and are required to get a supervisor's approval before the agency's chief information officer will issue one.
Alleviating some of the risk, newer drives often incorporate different levels of security and data protection ' including encryption, user authentication and access control ' and management features that help identify, track and correct problems, Reichenberg said.
Before allowing USB drives, government agencies and companies with sensitive or highly regulated operations should adopt management practices and security technologies that limit the devices' risks and vulnerabilities, Reichenberg said.
The first step involves standardizing the drives authorized for use, defining the makes and models users can connect to the organization's computers, and prescribing specific management and security features.
Newer drives offer built-in hardware encryption to prevent users from bypassing their data-scrambling features, and software running on all of an organizations' ports or end points can verify that users and devices are authorized when they log on. Management software can also help customers administer the entire system from a central point by detecting, logging and verifying problems, Reichenberg said.
For agencies with classified operations, vendors now offer USB drives with higher levels of data protection and security, Reichenberg said, including single devices that use smart-card technology to authenticate users and sophisticated data encryption on the drive's flash memory.
Agencies might also consider updating data backup and archiving procedures, Reichenberg said. As the storage capacity of USB drives increases, organizations could risk losing terabytes of data if drives are lost or destroyed.
Once agencies address basic management issues ' such as authorizing specific drives and implementing guidelines for permissible use ' the benefits of USB drives easily outweigh any vulnerabilities, experts say.
Those benefits include letting users easily store and transport data files, enabling administrators to distribute system tools such as antivirus protection and data recovery software, and providing a simple mechanism for keeping track of configuration, maintenance and troubleshooting software.
The drives also double as media players that can store and play back audio and visual files, and they can be used to store and transport applications workers can launch on host PCs without installation, including operating systems that boot and run on the drive alone.
Another plus for USB drives is Microsoft's inclusion in its new Windows Vista operating system of the ReadyBoost feature, which uses a USB drive's flash memory to enhance system memory. Microsoft's use of USB drive technology in ReadyBoost further validates the value of USB flash drives and should speed their adoption even further.