IronKey

Mobile Data Security Blog

Home  »  Archive by category "Encryption" (Page 2)

by

Enabling BYOD with a Secure Windows To Go IronKey Workspace

We have now announced Microsoft certification and general availability of our IronKey Workspace W500. Microsoft’s certification process is a rigorous one, so we are extremely pleased to put this stamp of approval on our latest Windows To Go solution. And we’re excited to bring our secure PC on a Stick platform to the Windows To Go solution set.

According to Intel’s IT Manager survey on the current state of BYOD, one of the two largest barriers to BYOD adoption is that the devices used by employees cannot support security, encryption or remote wipe.  The IronKey Workspace W500 solves IT managers’ security concerns with its hardware based encryption, ability to issue ‘silver bullet’ commands to remote wipe the device, and centralized management.  The IronKey Workspace W500 is truly an IT provisioned, IT managed and IT secured device that fits into your network.

intel barriers snap

Source: Intel

Gartner predicts that half of companies will require BYOD in 2017, and as this trend spreads from mobile phones and smartphones to the PC, our Windows To Go workspace offerings position us strongly in this space. Strong market interest in our solutions backs up this trend – for example, we have initiated pilots large organizations that are interested in deploying thousands of devices. Use cases we are seeing include:

  • Executive travelers are seeking to bring a secure device to insecure countries, instead of a laptop.
  • Government agency looking to provide a way for employees to telework securely, using the workspace device on their home PCs.
  • A hospital is looking at providing secure workspaces to medical residents instead of providing PCs –a 10X cost savings.
  • Top universities are testing IronKey Workspaces for their students to use in computer labs, and then to allow them to bring their computing environment home.

Our new IronKey Workspace W500 represents a powerful, secure PC on a Stick offering for enterprise customers. This is a high-performance, ruggedized, high-security platform for organizations who see opportunity in using Windows To Go to support their BYOD initiatives.

You can learn more about the IronKey Workspace solutions at http://www.ironkey.com/en-US/secure-workspace/index.html.

by

California Cracks Down: Companies Must Encrypt Personal Data

The California Attorney General has issued a major data breach report, finding that more than 2.5 million people were affected by 131 reported data breaches within the state, with 56% of the breaches including disclosure of Social Security numbers.

California Attorney General Kamala Harris is calling for wider use of encryption and increased training for employees and contractors on handling personal information. InfoWorld reports that, “her office “will make it an enforcement priority to investigate breaches involving unencrypted personal information” and will “encourage … law-enforcement agencies to similarly prioritize these investigations.”  She also recommends employee and contractor training on how to handle personal information.

Imation did its own review of U.S. data breach laws in 2012, and created the “heat map” graphic below, based on the strictness of those laws. California was a forerunner in data breach laws; while most state laws are similar, requirements and penalties vary widely.

As we’ve noted before, encryption is the foundation for protecting personal data. 

Having data encrypted at the time of the breach means, under most (but not all) of these laws, (because the data is unreadable) that loss or theft of a USB device or laptop doesn’t require reporting. Also, as the California report notes, keep security awareness campaigns active so workers stay alert to the risks.

By taking a few pragmatic precautions, the majority of risks can be greatly mitigated. So the next time an employee loses a notebook or an encrypted flash drive that held protected data, if it’s been properly encrypted and managed you’ll have may well have endured a non-event.

Compliance Heat Map

Imation Compliance Heat Map. Click to view full-sized image.

by

The Thumb Drive Conundrum: Managed USB and Encrypted Flash Drives Attack the Insider Threat

The revelation that Edward Snowden absconded from NSA with secret files on a thumb drive has generated predictable gnashing of teeth about the use of portable USB drives in secure organizations. At the same time, government and business organizations are successfully implementing secure deployments of portable USB drives so that employees can transport data they need to be productive.

The technology issue is one of competing needs: To be productive, mobile employees need the mobility, offline storage and security afforded by USB drives. To secure data, IT needs control of how employees move information and what information is moved.

The fact is that today, IT can take control without blocking USB ports. We’re not sure what safeguards the NSA had in place, but there are technologies that could prevent or mitigate this kind of insider threat. For example, secure enterprise device management software can offer:

Device Location – with managed USB drives, software can show the locations of every managed device when they connect to the Internet on a map. This allows tracking of a device that has “gone rogue” and could aid in recovery.

The “Silver Bullet” – the ability to either password-disable or perform a remote kill to completely disable the device if it goes missing or someone is suspected of copying data they should not have on the drive.

Geofencing, IP Blocking – It is possible to add rule features so that unless the device meets certain conditions, the data is automatically wiped. For example, IT could enable “geofencing” so that if device is outside the country, the data is wiped – or if it is on an unapproved network, or outside a certain IP range.

Have a Consistent Data Security Policy

It’s really a matter of having a consistent policy for your data at rest.  Many organizations require their PCs and Macs to have full disk encryption enabled.  But that policy is not enforced when it comes to removable media like a USB drive.  By using a manageable and encrypted storage device you can maintain a secure policy for your data no matter where it goes.

If we look at the SANS Top 20 Security Controls, Critical Control #17 – Data Loss Prevention specifically addresses how best to handle sensitive data and prevent it from leaving your organization without permission.  The advice from SANS is to, “deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data,” and that “enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices.”

For workers who travel, teleworkers shifting between work and home, or contractors working with your data, a secure, managed USB thumb drive is more secure than online file sharing, and certainly better than unencrypted and unmanaged notebook computers, USB devices and smartphones. And management adds an extra layer of security against both external and insider threats.  IT can address a number of potential security threats by implementing policies that require uses to use encrypted flash drives.

by

Obama’s Executive Order and Critical Infrastructure Protection

The big news this week in cybersecurity was the Executive Order from President Obama regarding our nation’s critical infrastructure, a catch-all term that includes power plants, water treatment plants and a lot of other utilities and services that, if impeded, could impact our lives in significant ways.

Reading through the text, the Order mainly allows for information exchange between government entities tracking nefarious interests and the private organizations running the critical infrastructure those nefarious interests would aim to sabotage. Certainly, this sharing of data can only help. By learning what the government is hearing, the companies will no doubt be better armed to know where an attack might be coming from.

Perhaps the biggest positive result of the President’s move is that the spotlight is now on the issue of critical infrastructure protection, at least for the time being. And I think it’s easy for anyone to conclude that the executive order does not go nearly far enough in providing guidance or dictating rules so that the infrastructure can be best protected.

Critical infrastructure protection is a complicated beast, made ever the more complicated because of the changing nature of the workplace. As an example, we live in a world that is more and more mobile. Even the U.S. government is encouraging its agencies to support mobile work environments. But a mobile world introduces new attack vectors for those who wish to do harm, let alone the vectors that already exist in our interconnected computing environments.

It can be a daunting challenge to secure these environments. Organizations are being targeted through remote attacks and their employees are also being targeted as travelers so they bring back malicious threats into the organization. As we’ve seen on more than one occasion, employees at many organizations have inadvertently carried malware and other malicious software into their work areas and have accidentally installed that software onto IT infrastructure.

The security industry needs to give organizations an advantage over malicious software.  A comprehensive approach to cybersecurity will address these and other scenarios.

One place to start is where our IronKey solutions sit– providing secure, mobile workspaces that are centrally managed. This allows employees at any company, let alone those operating our critical infrastructure, to work in any environment without risking a security compromise.

Solutions that involve hardware encryption, encryption key management, and strong administrative and access management controls should be incorporated into any government-driven requirements for critical infrastructure IT systems.

by

The Mobile Worker – A Look Back and a Look Ahead

In 2011, there were approximately 1.3 billion mobile workers and this number is expected to grow to 1.6 billion by 2015, according to IDC.  And as the breadth of our mobile workforce expands, the opportunity for targeted data breaches is increasing exponentially as well.

The rise of the teleworker is a boon to business and government organizations. At the same time, the expanding mobile workforce is fueling the evolving threat landscape — Symantec’s 2012 Norton Cybercrime Report notes that cybercriminals targeting mobile devices and mobile vulnerabilities doubled from 2010 to 2011.  IT departments must find new ways to protect corporate data at risk of malicious penetration from the outside, and malicious or careless insiders as well.

So what does this mean for the IT department? A new generation of mobile workers needs secure, portable workspace environments, and secure mobile device control systems.

Here’s another look at our advice for IT departments managing a worker-on-the-go:

  • Staff need to be educated on the responsibilities of handling mobile devices and the data security risks
    Proper training has to be a major part of educating staff on how to use mobile technology in order to do their jobs without risking a data breach.
  • Implement secure computing solutions that allow employees secure access to what they need
    Teleworkers need to be able to conduct their daily business from any location and must therefore be equipped with hardware encrypted solutions with strong user authentication.
  • Provide a secure platform that locks down the host-computer
    As organizations continue to accept that mobile workspaces are extremely convenient and flexible, advanced centralized deployment and management are key elements of maintaining and controlling a secure environment.
  • Make it easy and convenient enough to avoid workarounds
    Mobile devices must act like the desktop an employee has left at their office otherwise users will inevitably break security protocols.

Employees and IT organizations should learn from the security-related mistakes of the past. Technological advancements to the ways in which we work will continue to evolve and while it is not something that we want to stop but we must leverage the lessons learned and be smarter about mobile safety.

by

Secure Working can’t be Optional

Data Security Holes Shown In Global IT

Recently Imation released the results of a study which reveal some important home truths about the current attitude of workforces across Europe towards remote working. The survey, conducted across the UK, France and Germany, also highlighted worrying shortcomings in Europe’s major IT markets around secure remote working in terms of both technology and policy.
Read More