The arrival to Canada this spring of the Zune music player, Microsoft Corp.’s answer to Apple Inc.’s popular iPod, will likely be yet another removable device that enterprises will consider a network security risk, according to industry experts.
Zune joins an existing slate of devices that can be easily connected to the corporate network, just like the iPod, USB sticks, and even cameras that may act as an extended storage mechanism, said Oliver Friedrichs, director of emerging technologies with Cupertino, Calif.-based Symantec Corp.’s security response team. The use of devices like the iPod to remove corporate data became known as “Podslurping.”
The issue is that such devices, said Friedrichs, serve as an extension of the hard drive and appear in the Windows operating system as a new drive. “So it’s relatively easy to open up that drive and then drag and drop documents into that folder.”
The Zune supports video, audio, photos and other images, as well as offering FM radio tuner and wireless connectivity for music sharing.
Three models will be made available including one with 80 gigabytes of music memory, and two flash memory-based models holding 4GB and 8GB.
Another industry expert agreed that the Zune itself doesn’t present a unique security risk, but rather it’s yet another removable device to worry about.
“It’s a mobile device generically speaking and enterprises are concerned about it and they’re still fussing with it,” said Francis Ho, executive committee member of the Federation of Security Professionals, an association dedicated to education in the field of information security.
According to Friedrichs, security controls should be applied by the IT department, by way of technologies and processes, to manage the risk of data leakage via such devices.
In fact, there is an entire market that’s emerged based on the need for organizations to manage data loss prevention (DLP) in outlets like devices or network services like e-mail and Web sites, he said. Actually, he added that Symantec’s acquisition of San Francisco, Calif.-based Vontu Corp. in November 2007 complemented this market need.
It’s an imperfect world. How do you keep corporate secrets from leaking out? Real tough.Francis Ho, executive committee member,>TextHo said he’s thus far witnessed two corporate approaches to preventing data leakage via removable devices. One organization physically disabled USB ports on users’ PCs. “That only works to a point because keyboards and mice are all USB and they have to leave those active. If I were a smart guy, I’d buy a $20 USB hub and away I go to the races.”
Other corporations have disabled the USB ports at the operating system level by way of software. But the problem with software, said Ho, is that it too can be defeated if you know how. “It’s an imperfect world. How do you keep corporate secrets from leaking out? Real tough.”
Ho also mentioned a less common approach which is to use software to monitor the movement of corporate data in e-mail. But it’s a method that relies on a good set of keywords to catch all data. And having too many keywords, he said, won’t let e-mail through at all.
Along the same vein, data can be monitored as it sits on servers and files – but even that approach has its pitfalls, said Ho. A company would have to first identify critical corporate assets in order to selectively monitor data, a task that can be quite labourious, he said. This technology, he added, is relatively less mature.
But the use of DLP technology aside, said Friedrichs, barring employees from connecting personal devices to the network in an effort to reduce risk is definitely a good place to start. However, he added it will be necessary to manage the potential impact on staff morale given such a heavy restriction.
However, policies like that will hold more importance in certain industries than others, said Friedrichs, namely financial services where there is not only the heightened risk of confidential data leaving via removable devices, but also the risk of malicious code propagating onto network PCs.
Friedrichs can’t comment on whether the Zune will respond to enterprise security concerns with embedded security within the device itself, but said that considering it’s an extension of the hard drive, “there is little it can do to mitigate that risk.”
However, the Zune’s wireless connectivity capability will certainly facilitate hooking up to the corporate network should the company have a wireless network, he said.
But he added that high-security environments would likely not employ a wireless network to begin with.
At any rate, technology is evolving faster than security’s ability to catch up and vendors are trying innovative ways to prevent corporate knowledge from leaking out, said Ho. “All you can hope to do is write it in policy and hope you catch it.”
In the old days, he said, the issue was employees walking out with screen prints. “Now you make a copy of data and there’s no trace.”