Portable Problems Prompt IT Spending

A rash of data thefts involving high-profile government agencies could have IT managers everywhere revamping their policies on removable data storage devices and laptops. And not a moment too soon, sources say.

The watershed event came in May, when an HP Pavilion Notebook Laptop and accompanying HP External Personal Media Drive containing sensitive data on 26.5 million veterans was stolen from the home of a U.S. Department of Veteran Affairs employee. (See VA Reports Massive Data Theft.)

This and other snafus have IT managers questioning policies on portable data. In many instances, organizations are doing some major soul-searching.

In a recent user survey by sister publication Dark Reading, 61 percent of 229 security professionals reported they either haven't got a policy for protecting removable storage devices, or their organizations were vulnerable because their policy was unenforceable. (See No Wires & No Policies and The Portable Puzzle.)

But a report from market research firm Input suggests that high-profile laptop losses are making it more urgent for companies to find answers. According to Input analyst and former government agency CIO Bruce Brody, spending on IT equipment, including security and storage gear, is expected to rise in the wake of the VA theft.Why storage gear? Centralized control of data, that's why. According to Brody, the culprit in recent high-profile data losses involving the VA point to "a decentralized network and organization structure." While this is a cultural and political problem, he notes, it affects IT in government agencies because IT services start getting too localized to ensure agency-wide effectiveness of standards and policies.

Centralized storage with VPN access can help matters. Storage vendors know this, as evidenced by EMC's purchase of RSA Data Security. (See EMC Secures RSA for $2.1B and Did EMC Overpay?.)

But centralizing data storage and controlling access isn't the only answer. Even companies like Decru and NeoScale, which encourage centralized control and encryption of any kind of data at rest, whether it's on a laptop, portable drive, or tape device, must concede that technology can do only so much. Companies need to change the way they approach data access in general.

"We see customers starting to evaluate who needs to have access," says Michele Borovac, director of marketing at Decru, now owned by NetApp. If users are provided with access to encrypted data, for instance, issues of key management and support come to the fore.

It's all part of a tradeoff, according to one security manager who works for a West Coast music producer. Upping the security for portable storage devices and laptops will affect workflow and the ability of end users to get at data when they need it. Even simple procedures have consequences. "The company has to have the support structures in place to support data encryption," he says. "If an executive forgets his password, the analyst has to be accessible to help him.""It's a matter of access control," says Input's Brody. "The concept is simple: My data is of value and needs to be made available to people as well as protected with safeguards based on the sensitivity of the data."

Changing policies takes time, but there are measures ITers can take to ensure users don't go the way of the VA in the immediate future. Greg Schulz of the StorageIO consultancy suggests the following strategies for protecting data stored on laptops:

Ultimately, security portable gear must be a cooperative effort between user and IT. A network manager on the North American Network Operators' Group (NANOG) mailing list wrote earlier today that while his firm leaves files on the network and controls remote access, he doesn't trust most users to not keep some sensitive data on their local disks. So he uses PGP whole disk encryption for laptops.

Clearly, securing portable gear is a complicated problem that calls for a complicated solution, as another user on the same list wrote: "Laptop security really sucks these days... this is certainly an area for a lot more focused thought."

Mary Jander, Site Editor, Byte and Switch