Monday, March 24, 2008

Washington State Agency Takes Steps to Plug Flash Drive Security Gap


Workers in the state of Washington's Division of Child Support are getting state-owned USB flash drives as part of a move to eliminate the use of unsanctioned thumb drives.

External flash drives used by field workers hold the names, dates of birth and Social Security numbers of children served by the agency. They may also hold client tax documents, employer records, criminal histories and passport data.

The state began rolling out 200 SanDisk Corp. Cruzer drives late last year after recalling suspect devices used by workers in the agency's 10 field offices. Most of those had been purchased independently by employees, causing myriad problems for the agency, said Brian Main, the division's data security officer.

We do periodic risk analysis of our systems, and one of the things that came up is the use of thumb drives they were everywhere, said Main. We had a hard time telling which were privately owned and which were owned by the state.

The Cruzer Enterprise drives provide 256-bit AES encryption and are password-protected, Main noted.

The agency also plans to use SanDisk's Central Management and Control software in its Olympia headquarters. The Web-based management software can centrally monitor and configure the miniature storage devices and prevent unauthorized access to them.

Larry Ponemon, chairman of Ponemon Institute LLC, a Traverse City, Mich.-based research firm, said that most organizations are too enamored of the convenience, portability and low cost of USB flash drives to consider security issues.

I think a lot of organizations are asleep at the switch. They don't see this as a huge problem. It obviously has the potential to be the mother of all data-protection issues, Ponemon said.

Main said the agency first looked at Verbatim America LLC's thumb drives but ultimately chose the SanDisk technology because of its support for Microsoft Corp.'s Windows Vista operating system.

Workers in the agency's training operations are getting 4GB devices to store large presentations and screenshots, while enforcement personnel will get 1GB drives, Main said.

No comments: