When Starbucks earlier this month revealed it couldn’t find four laptops containing data on thousands of employees, IT administrators everywhere once again were forced to ask themselves: What’s our policy on protecting data on mobile devices?
The seemingly never-ending string of high-profile data loss cases — from Los Alamos National Laboratory to Allina Health to U.S. Veterans Affairs — is pushing more organizations to encrypt data on such devices as laptops and USB flash drives, and establish associated security policies.
“We do have policies specific to laptops that fall under our Mobile Device Policy,” says Tom Gonzales, senior network administrator for the Colorado State Employees Credit Union in Denver. The organization has codified a policy for securing laptops, disk drives, USB flash drives and CD-ROMs.
Gonzales describes the policy this way: “USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually don’t encrypt the entire drive on users’ laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted. Our desktop PCs don’t have floppy drives or CD-ROM writers.”
The reason that companies are going to these extremes is clear: Data loss is costing them lots of money. The Ponemon Institute suggests each incident costs about $4.7 million — $182 per record. Using these numbers, the incident at Starbucks put as much as $10.9 million of data at risk (Starbucks said in a press release it is not sure what became of its laptops but has seen no evidence that data has been misused.)
Given the sensitive nature of security policies, some IT and network professionals are reluctant to discuss their policies regarding data protection on removable storage devices and mobile gear.
“Policy prevents me from answering most of your questions so I should probably decline,” says Ken Walters, senior director for enterprise platforms at the Public Broadcasting Service in Alexandria, Va. “My personal feeling is that we need some easy way to encrypt all data leaving the building and a mechanism that allows only the authorized employee to see it.”
For Lenny Goodman, director of desktop management for Baptist Memorial Hospital in Memphis, Tenn., protecting data on laptops, flash drives and other removable media is an everyday experience that started with the hospital‘s adhering to the Health Insurance Portability and Accountability Act.
Compliance is a ‘supposed to’ approach to managing the enterprise, whereas it infers best practices — the things we ‘should do’ whether we want to be compliant or not,” Goodman says. “Encryption is a ‘should do’ thing.”
Goodman protects the data stored on USB flash drives with software from Safend that identifies when a USB drive is connected to the network and lets IT set policies that allow or disallow their use.
“Like all organizations, we have discovered rather prolific use of inexpensive, plug-and-play thumb drives,” Goodman says. “We didn’t provide them, but that didn’t stop our users from taking advantage of the technology. When you start seeing 1GB thumb drives available at Target or in a Sunday newspaper brochure, you know that they are going to show up in the enterprise, and whether there is malice or not, it’s something the enterprise has to address.”
Goodman wrote a policy for managing flash drives, identified the flash drives in use at his organization and replaced them with Kingston’s DataTraveler Secure flash drives. The Safend software recognizes only the Kingston drives and disallows others.
“Where there was a legitimate business need for removable storage, we provided a solution that had password protection and nonoptional encryption,” he says.
At Baptist Memorial Hospital, as many as 6,000 desktops and 100 laptops are protected with the Kingston/Safend combination.
“We are encrypting hard drives,” he says. “On our older PCs, we’ve disabled the diskette drives through group policy. We do not have CD burners. Users that bring in CD burners are detected through our endpoint control.”
A more flexible approach
Other IT professionals are less concerned with laptop and USB security, saying they leave the decision to encrypt data or password protect it up to users.
Jeff Mery, system administrator for an instrumentation and test equipment manufacturer in Austin, Texas, says controlling removable media such as flash drives is nearly impossible in his environment.
“The main reason is the vast majority of our users are engineers that have very valid business reasons for using USB and CD-ROM media in their day-to-day jobs,” he says, adding that he is considering drive encryption for desktop and laptop users. “Whole-drive encryption is one reason we’re looking at Microsoft Windows Vista and its BitLocker technology,” he says. “Users can currently encrypt data they feel needs it, but BitLocker will allow us to transparently encrypt the entire disk. Users won’t have to remember to encrypt or what’s been encrypted.”
For Dominic Martinelli, vice president of IT at Rackable Systems in Milpitas, Calif., laptop users’ default configuration is a home directory located on a network drive. “When users connect with the network, data is synchronized, enabling automated backup.”
Martinelli, like Mery, doesn’t have a policy for USB drives or CD-ROMs. “We do ask that users use their best judgment,” he says. “We do have policies for PDAs — if a PDA falls out of someone’s pocket in New York, we want to be able to remotely erase its contents.” Martinelli relies on passwords to protect laptop contents and is looking to implement encryption by year-end.