The problem of lost USB sticks has been back in the news recently with data losses moving from laptops to the storage devices.
In January, the Information Commissioner's Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man jointly criticised Praxis Care after an unencrypted memory stick was lost last year. It contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland.
Last week, the details of more than 1,000 school pupils were lost when a USB stick was misplaced by a member of East Lothian Council.
It was at the end of 2009 that I looked back at ‘a tricky 12 months for the USB stick' when it was blamed for data loss and Conficker. While the problem has not been eradicated completely, it does seem to be slipping back somewhat.
I recently spoke with a new company offering what it calls the ‘Fort Knox' of USB memory sticks: I know what you are thinking, heard it all before. Well what caught my attention was that this was less a memory stick and more a tracking device, with GPS and GSM modules to track where it is and deliver this information securely to a management console hosted securely on Fujitsu's Global Cloud Platform.
It also features remote wipe capabilities of any data on the device, whether it's plugged in to a USB socket or not.
Named Security Guardian, creator ExactTrak said that its inbuilt software is linked to an online monitoring platform that protects against the biggest problem with mobile data security: human error.
Managing director Norman Shaw told SC Magazine that Security Guardian is been adopted by users due to it being encryption technology-agnostic and available with either 16 or 32GB storage.
He said: “We applied intelligent elements to communicate with the device and we can turn the device on or off and delete the memory. We can know where it is geographically.
“We met with the ICO and they said that it is all very well having encryption but 50 per cent of people share passwords. One of the technologies on this is that if you share a password, you can remotely remove or turn data off. A problem is that data losses are often not reported for months; we say this can overcome the stigma of losing data by saying ‘we lost the device but we deleted the contents of it'.”
Shaw said that this is sold not as a product but as a service, and a recent partnership with Fujitsu saw its Global Cloud Platform selected to host the back-end infrastructure.
The heart of the Security Guardian solution is the management console which provides remote access to the devices and maintains a verifiable audit trail detailing when and where data was accessed. ExactTrak said it needed a partner that could host the management console while providing the utmost levels of security, scalability and availability, and it selected Fujitsu's Global Cloud Platform as a secure portal and because it could offer "global scalability almost instantly".
Shaw said: “Once data is on the device it is encrypted. We have Trusted Client technology from Becrypt and the cloud capability from Fujitsu and it is all dynamic data on the device, so what is on there is secure.”
In my recent conversation with Thales, it was suggested that technology should make encryption transparent, and "if you know you are using it then it has gone wrong". I asked Shaw if he felt there was a problem with encrypted data and that people were not using it.
He said: “Some people realise the problem of encryption, so how do you prove that it was turned on? You say that a laptop was encrypted, but then it appears on eBay and it turns out that it wasn't encrypted at all.
“With our solution you can say that the data was turned on or off on the management console with a verifiable audit trail and the ICO can say the matter is closed.”
There are solutions out there to prevent data loss and most of them offer different levels of security and capability, and what ExactTrak offers is certainly different – the capability to react after the incident.
As to whether this will prevent further data loss, I doubt it, as the ICO is now fining organisations for human error in the case of lost details.