IEEE 1667: One standard worth watching

There are a few standards that compete with IEEE 1667, but hopefully Microsoft's support causes them to fade away, says analyst Jon Oltsik.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
2 min read

I've grown rather cynical about industry standards, but I am pretty bullish on IEEE 1667 (aka: "Standard Protocol for Authentication in Host Attachments of Transient Storage Devices"). This standard should improve security and may have other benefits as well.

Here's the thing: We all have a plethora of flash drives, MP3 players, and USB disk drives. Yes, these may be a great way to replicate music or transport files, but they also create a huge security vulnerability. When you plug in the 250GB drive you bought at Fry's Electronics at lunch, you can steal a heck of a lot of data.

When IEEE 1667 is in place, the risks associated with this vulnerability decrease substantially because only authenticated devices will be accepted. I can provide my employees with specific types of IEEE 1667-compliant devices that can be authenticated and used. All others, including that device you bought at Fry's Electronics, won't work. Assuming that you can audit the use of these devices, this provides security without compromising usability--a win-win in the security management world.

Of course, there are things I can do today to address this issue. I can fill USB ports with glue, rendering them unusable. (Don't laugh, lots of people actually do this.) I can turn off all USB ports using configuration software. I can also use some proprietary software that does the same thing as IEEE 1667 with "proprietary" being the key word. These are all-or-nothing propositions.

IEEE 1667 is most promising in this case for one reason: Microsoft is a strong supporter and plans to bake IEEE 1667 into Windows 7.

Once IEEE 1667 gains wide deployment, it may help in areas beyond security alone. For example, ESG Research indicates that only 35 percent of enterprise organizations actually back up user PCs. Seems crazy, but this remains a real problem. When IEEE 1667 takes hold, I can assign all of my users an authenticated encrypting drive like Seagate's BlackArmor device. They can then back up their laptops securely on their own. Think of the benefits: Costs are relatively low (one device per user), security remains tight, and I have don't have to invest in incremental network bandwidth, backup servers, tape drives, or IT administrators.

There are a few other standards that compete with IEEE 1667, but I hope Microsoft's support causes them to fade away. Let's all follow Redmond's lead in this case for the greater good.