News

Front Lines is a guest viewpoint section offering perspectives on current issues and events from people working on the front lines of Canada's technology industry. Larry Hamid is chief technology officer at MXI Security, a provider of secure portable devices for the Global 5000 and government. He can be reached at lhamid@mxisecurity.com.

Tremendous advances have been made recently in the world of portable storage. Gigabytes of information can be easily moved around on a USB device that is small enough to clip onto a key chain. Portable USB flash drives and micro-drives can copy data at lightning speed and are part of a larger class of devices known as USB Mass Storage. Surprisingly, many MP3 players and digital cameras also fall under this class, which is why you see a drive letter appear in Windows explorer when you connect an iPod to a PC.

Unfortunately, advances in USB portable storage have also created increased security threats to corporations:

• USB is a medium that can carry computer viruses and is yet another entry point for malicious software.
• USB devices can carry portable software, which presents a problem in environments where desktop applications are tightly controlled and where there are concerns about the nature of personal applications run by employees.
• The sheer volume of proprietary information that could leave a company undetected through USB devices is an enormous exposure for corporations.

A U.S. security expert recently created a program for an iPod to illustrate these threats. Known as "pod slurping," it silently searches for files likely to contain business data and copies them to the device when the iPod is plugged in. It's an effective demonstration, but theft of intellectual property is a real problem. The U.S. Department of Justice estimated the cost of IP theft to enterprises in 2004 at $250-billion (U.S.).

Understandably, some organizations have disabled USB ports completely, either via the BIOS or by physically filling the USB connectors with a thick epoxy adhesive. While this removes the security threats, it also blocks beneficial uses of USB devices. Corporations should seek alternative solutions, because there is a new breed of security-focused USB mass storage devices known as "Portable Security Devices" that will change the security landscape for the enterprise.

Standard USB Security Measures

Most virus scanners will cover removable media when appropriately configured. so that the entry of viruses through USB can be controlled.

There are products that can monitor and control the use of USB ports, enabling organizations to determine which types of devices to allow and which to reject. For example, an administrator could allow one model of USB flash drive from a particular manufacturer and reject all others.

Besides the control of USB, monitoring the file activity of what is copied to and from a USB drive is equally important for corporations that must adhere to regulatory compliance initiatives such as Sarbanes-Oxley, HIPAA, and Graham-Leach-Bliley. Many USB monitoring solutions contain such auditing features.

A New Breed of Corporate USB Security

Portable Security Devices evolved from two origins; flash drives and security tokens. Flash drive vendors starting adding security enhancements, such as biometric authentication and encrypted storage, to their products in an attempt to differentiate themselves in a competitive and price sensitive market. On the other side, security token vendors have recognized the need for more speed, portability and capacity than what is available on a conventional smart card or token. The end result is a type of device that has the security of a smart card with the power and portability of a flash drive. These devices will likely have significant impact to the security industry.

High-end Portable Security Devices can carry and assert digital identities, provide powerful cryptographic services, strong authentication, secure storage, and have management interfaces that allow them to be easily deployed in an enterprise environment. A single device can satisfy multiple security needs of an enterprise, including public key cryptography for e-mail signing and file encryption, digital identities for network logins and single sign on, portable authentication for remote access, as well as secure storage of confidential information.

What is really attractive to the enterprise is that these devices can support many more applications and security needs than was previously possible with traditional security tokens - and they are much more portable and easier to deploy.

The Future of Portable Security Devices

The future of Portable Security Devices looks bright. Never before have such advanced security features been available in a portable device. Once security software starts to leverage this capability, then the level of security that today exists only within the boundaries of an organization will be available everywhere and delivered with the same ease of use and portability as a Flash drive.

The versatility of Portable Security Devices will enable organizations to provision devices that let their employees use them for both work and home use. For example, in their work environment users can use only the security features and applications that are enabled by the device when they log in using their corporate digital identity. While at home, employees can manage their own digital credentials and applications for personal use without compromising or re-using their corporate identities.

Portable Security Devices will also be used in the new digital identity meta-system that is currently emerging on the Internet. Consumers won't need to fill out personal information on websites and maintain dozens of user names and passwords, one for each service membership they have signed onto. Instead, they can use their Portable Security Device to manage their own digital identities and log on to their websites without releasing personal information.

Unlike Microsoft Passport, digital identities will be managed by the consumer and not a centralized, third-party provider. The inherent security of Portable Security Devices hardware will also provide consumers with the power to perform secure identity transactions from any machine without worrying about digital identity theft from computer viruses and phishing scams.

Conclusion

Security in the digital world is a complex matter, but the arrival of Portable Security Devices promises to simplify security and make it better for both corporations and consumers.