Decoupling data from its container.
I discovered recently that there are two different ways that people treat USB flash drives these days.
- Either you view it as a smaller version of a disk drive, in which case you tend to tag it and track it as a hardware asset, or
- You view it as a more voluminous writable CD or DVD, in which case you treat it as a stockroom item, like paper clips.
Is your organization handing out USB drives like Hallowe’en candy? Do you have any idea who is using them, for what data, and why?
No, don’t tell me that you can simply forbid their use and disable USB ports on all computers. For every user with a key fob full of jpegs, there’s a sysadmin who’s carrying around a key fob with useful diagnostic tools.
Besides, that’s not the point. We are moving data more and more off of static, established infrastructure and onto temporary, ephemeral waystations that flash (if you’ll pardon the pun) in and out of existence. I’m just waiting for the day when I get a call that a million SSNs were lost because someone’s body piercing jewelry accidentally washed down the shower drain. The security officer in me wants to force everyone to go back to the equivalent of a dumb terminal, but I understand very well that users want to have and hold their data. They want to carry it with them; they want to take it home and love it and call it George. If you give a user a blindingly fast remote desktop connection from home, he will STILL prefer to put everything on a USB drive where he can keep an eye on it.
Both this and virtualization start to make mincemeat of our usual models of data containment. If you have virtualized instances of systems with data on them, all wrapped up in hosts like so many Matryushka dolls, do you treat them all as being in one box for the purposes of securing and tracking them? Will we ever be able to secure the data itself and ignore where it happens to be located at the time?
I doubt that we will, for psychological reasons. The same impulse that makes us primates feel as though we’re protecting something more if it’s physically within our reach is also causing us to worry more when it’s outside of a territorial boundary. We get naturally more nervous if data is being viewed from outside of a corporate building—never mind that it’s the same pair of authorized eyeballs looking at it, and statistically speaking, the data is just as much at risk when it’s in the building as outside of it. Since security risk involves perception, information owners will never completely be able to estimate risk without wanting to envision a specific container and location for their data.
It’s at times like these that I want to take off my Sorceror’s Apprentice hat and stop all the brooms from multiplying before my eyes.
on 09/20 at 04:09 PM:
I think the move to dumb terminals is not as difficult as you might think, but you’re right about the whole thumb drive/possession thing. Of course, people will get over this if IT has an extremely matured backup/recovery/security infrastructure in place over that data. But that’s another happy dream for most.
We are conscious and want to clean up our USB port usage as well, but we know what a fight that will be from personal devices that are charged that way to actual business-use data transfers. It just happens regularly. So far we talk about it, but we have other fish to fry that we know are tasty and easier to catch.
When you’re talking to someone about these topics at work, you should queue up a few Fantasia mp3’s to start playing in the background…