Conventionally, within an organization, data that was associated with a user would be stored upon the hard disk associated with a user's computer or server to which the user's computer was connected. If an individual wished to access the data stored on the disk drive, they would be required to log on to the computer to be able to access the appropriate disk drive.
In the current computing environment, the amount of data that is transferred and exchanged between organizations and between users within organizations is ever increasing. As a result, conventional disk drives are being replaced by different methodologies to store data. The need for portability of data has brought about the development of mobile storage means. Examples of these mobile storage means include USB storage means, external hard drives, CDs, and DVDs. These mobile storage means facilitate information flow between various computing devices.
However, there are risks associated with the use of these mobile storage means. Within an organization, it must be ensured that data that is proprietary to an organization must be protected from being accessed by individuals/entities who are not permitted to access the data. Through the use of mobile storage means it has become exceedingly simple for confidential and sensitive data to be accessed, modified, copied or removed by authorized or unauthorized personnel.
In order to attempt to combat the potential threat of misappropriation of data that is posed by mobile storage means, some organizations have taken to prohibiting the use of such devices. While this does combat security risks, operational efficiency and productivity is hindered, as mobile storage means are a very efficient tools for enhancing the ease of data transfer and storage. Some organizations, while realizing that an outright prohibition on using mobile storage means may not prove to be effective or efficient, have put in place policies that allow for the limited use of mobile storage means in accordance with their own security protocols. These policies however, lack an effective control mechanism which automatically enforces them, and it is left up to an end user to comply with one or more policies that relate to data transfer involving mobile storage means. Policies which do not have an automated enforcement mechanism will not be able to counter the following types of threats that are posed through the use of mobile storage means; 1) when mobile storage means containing confidential information are stolen or lost, 2) the copying of confidential data from a mobile storage means to an unauthorized computing device; and 3) the copying of confidential data from computing device to a mobile storage means.
Automatic policy enforcement mechanisms need to ensure that the threats that are posed through the use of mobile storage means as have been described above are combated, but at the same time should allow for customized policies to be designed which take into account the various data access requirements that may be required by a specific user.