IEEE 1667: One standard worth watching

I've grown rather cynical about industry standards, but I am pretty bullish on IEEE 1667 (aka: "Standard Protocol for Authentication in Host Attachments of Transient Storage Devices"). This standard should improve security and may have other benefits as well.

Here's the thing: We all have a plethora of flash drives, MP3 players, and USB disk drives. Yes, these may be a great way to replicate music or transport files, but they also create a huge security vulnerability. When you plug in the 250GB drive you bought at Fry's Electronics at lunch, you can steal a heck of a lot of data.

When IEEE 1667 is in place, the risks associated with this vulnerability decrease substantially because only authenticated devices will be accepted. I can provide my employees with specific types of IEEE 1667-compliant devices that can be authenticated and used. All others, including that device you bought at Fry's Electronics, won't work. Assuming that you can audit the use of these devices, this provides security without compromising usability--a win-win in the security management world.

Of course, there are things I can do today to address this issue. I can fill USB ports with glue, rendering them unusable. (Don't laugh, lots of people actually do this.) I can turn off all USB ports using configuration software. I can also use some proprietary software that does the same thing as IEEE 1667 with "proprietary" being the key word. These are all-or-nothing propositions.

IEEE 1667 is most promising in this case for one reason: Microsoft is a strong supporter and plans to bake IEEE 1667 into Windows 7.

Once IEEE 1667 gains wide deployment, it may help in areas beyond security alone. For example, ESG Research indicates that only 35 percent of enterprise organizations actually back up user PCs. Seems crazy, but this remains a real problem. When IEEE 1667 takes hold, I can assign all of my users an authenticated encrypting drive like Seagate's BlackArmor device. They can then back up their laptops securely on their own. Think of the benefits: Costs are relatively low (one device per user), security remains tight, and I have don't have to invest in incremental network bandwidth, backup servers, tape drives, or IT administrators.

There are a few other standards that compete with IEEE 1667, but I hope Microsoft's support causes them to fade away. Let's all follow Redmond's lead in this case for the greater good.

[eBob1]

It really depends on how "transient" is defined. For instance, someone I know once needed to copy some files off of a work PC, but the USB ports were disabled by some software. He wound up opening up the PC and attaching a drive directly to a SATA port. When he powered up the computer, the drive was there and he could copy anything he wanted.

[krachtveld]

I am totally confused by your being 'rather cynical about industry standards', yet post in a medium that uses tcp, http and other 'standards' to get your word out. Not to mention the alphabet.
You are excited that IEEE-1667 will be baked in to Windows 7, which, if I am not mistatken is a propietary OS. What exactly it is that you 'analyse'?
I guess I mostly agree with what you have to say, but in my opinion you did it very poorly.

[rizarsurf]

You are asking for support for Microsoft? Is this so they can put their own proprietary twist to IEEE 1667 and lock users even more to their OS? Or is it so they can charge even more for Windows 7? When MS starts using truly open standards and starts respecting them, then I can see supporting MS. But don't hold your breath, it's most likely to not happen.

[rotflman]

I think the real problem here is that IEEE 1667 does not require encryption of any kind. The specification only requires authentication. As a result, I cannot get as excited about this as Jon apparently does and believe the specification needs more work before it is really usable as Jon expects...