You encrypt your laptops, but what about portable media?

Published: 2013-01-12
Last Updated: 2013-01-12 17:41:01 UTC
by Stephen Hall (Version: 1)
3 comment(s)

As a data loss control many organisations now ensure that laptops are mitigated by installing full disk encryption or by having a partition / area of disk which is encrypted.

However, laptops are not the only way to pick up and carry out of your organisation the data which you are meant to be protecting. Various products also address this space of the toolset to mitigate data loss risk.

Walter has e-mailed in with the heads up that various Canadian news media are highlighting a report that a portable disk containing 583,000 Canadians who were clients of the Canada Student Loans program from 2000 to 2006 has been lost. If you were lucky enough to borrow money through this program but you were from Quebec, Nunavut and the Northwest you were lucky this time. The data lost includes:

  • Student names, social insurance numbers, dates of birth, contact information and loan balance of Canada Student Loan borrowers.
  • Personal contact information for 250 Human Resources and Skills Development Canada(HRSDC)employees.

So when doing the risk assessment of your organisations data loss mitigation please consider the end to end lifecycle of the data and how that data can move to and from your staff members hands. That can also include portable media which, if allowed at all through a technology or physical security control, should be access controlled and any data be encrypted when data is allowed to be written to it.


Keywords: DLP
3 comment(s)


Yes, we use full disk encryption on laptops, and email gets stored on blackberries in plain text. How do you encrypt that? How do you enforce encryption on usb drives -- both flash and pocket hard drives? I know there are flash drives that have built-in encryption that is OS independent, but how do you keep people from using the flash in their phones or ipads, etc. as a temporary storage to move data from one device to another, especially in a software-hardware development lab environment? User education seems like the only way, and we all know how well that works. :-(
It maybe that you already have this capability but do not have it turned on. Try putting "DLP endpoint protection" into your favourite search engine and you should find products which can help you which could include your AV.
While policy often calls for such controls, enforcement may be hindered by the limitations of (for example) Windows Group Policy. Until recently, such methods could only restrict entire classes of device (such as all USB mass storage) rather than being able to distinguish and allow specific approved (and encrypted) devices. Some 3rd party products enhanced this, but none are fully satisfactory. Till that day, user education is still the front-line attack on portable device data handling. Users need to understand, appreciate, and act on their responsibility as the custodian of sensitive data.

Diary Archives