|
|
Question:I'm looking for policy guidance for portable mass storage devices such as might be relevant to a Blackberry, iPod, etc. What would you suggest?Response from Charles Cresson Wood, CISSP, CISM:What we're talking about, when we refer to portable mass storage devices, are very small hard drives, flash memory cards, and the like that can be used with portable devices such as an iPod, a Blackberry, or a portable notebook computer. These devices are often USB enabled, allowing them to be moved between multiple types of equipment, such as a desktop and a portable. These devices are excellent for large files that may exceed the native drive capacity of a personal digital assistant, a handheld, a portable, or some other small computer. They are also an excellent way for users to back-up their work, and store it somewhere else besides on the small computer that they are using. This is particularly important in the case of dropping a small computer, which could then cause permanent damage to the built-in drive in that device.These portable mass storage devices may also be useful if a user is taking work to another office, or if he or she is taking work home for telecommuting purposes. Users can thus move a large number of files, or perhaps even a database, that might be needed in order to accomplish a complex business task. The use of these devices may also circumvent the need to buy a lot of memory for a personal digital assistant, or a similar device, or for the frequent downloading of the small portable computer's memory into a desktop or another larger machine. So, without going into a lot of the specifics about these devices, they are clearly very useful, and to prohibit their use is going to be difficult if not impossible to justify. Looking at portable mass storage devices with an information security manager's perspective, we see a small and widely-interfaced device that can be used to covertly move sensitive files out of the office, off of certain computers, and on to unauthorized parties. The question is, how can an organization prevent users from utilizing these portable mass storage devices to make off with sensitive information that they should not be spiriting away, but at the same time not impose undue impediments to getting the business done. There are several approaches that can work, although every form of protection has a price, and the price of these is generally high. So they will not be advisable unless the organization has some very sensitive information to protect (for example, a law firm that does mergers and acquisitions work would benefit from one of these approaches). I will mention two approaches here, digital rights management (DRM) software and content management systems (CMS). Digital Rights Management is a cryptographic approach that will not allow certain files to be viewed on unauthorized devices, or by unauthorized persons. It doesn't matter if a portable mass storage device is used or not, if the file is protected with DRM, then it will not be visible or usable on an unauthorized device, nor will it be visible to an unauthorized person. In this respect, DRM is an excellent approach to protect information stored in backup files, off-site archives, and home computers. DRM systems include some useful features such as the ability to define a time frame in which a file can be viewed, and when that time frame has expired, the file is thereafter inaccessible. New DRM systems are specifically written for use with portable mass storage devices such as flash memory cards. One of these is the Sandisk ™ system. Taking more of an access-control-oriented approach, Content Management Systems, sometimes called Enterprise Content Management Systems, can act as barriers preventing certain types of information from being moved outside a pre-defined perimeter. A CMS, such as the commercial product called Documentum, can be used to keep a master copy of a sensitive file on a centralized server, and then allow authorized users to access that file, and perhaps update it -- if and only if they have been previously granted the relevant permissions. The traffic sent back and forth with the central server is encrypted, and special client-side software is used to decrypt this traffic. Movement of a file to a mass storage device is done via encryption, and to make sense of this stored file, a system viewing this file must be authorized via the centralized server. A CMS can thus be used to prevent the readable movement of certain information to auxiliary devices, such as a portable mass storage device. At the same time, such a portable storage device could be used for backing-up information without worry that this backed-up information would fall into the unauthorized hands. Both of these approaches require that sensitive data be explicitly identified and made known to the security system (DRM or CMS). The organization adopting one or both of these approaches should have a data classification policy which recognizes a certain type of information, perhaps "secret" information, and defines permissible and prohibited movements of that same type of information. For example, a number of organizations do not permit the movement of secret information out of the office, unless a manager's permission is first obtained. Related policies should define whether users are allowed to carry this sensitive information with them on portable devices such as a laptop computer. The policy should, at the very least, define what is prohibited. The technology (DRM or CMS) should then be used to make sure that users are abiding by these same rules. Charles Cresson Wood, CISA, CISSP, CISM, Information Security Consultant, Sausalito, CA; he has no relationship with the vendors mentioned in this article. Related Resources and Information Information Security Policies Made Easy, Version 10.0 contains over 1300 pre-written information security policies, including policies for remote users, data encryption and mobile computing.
|
|
