The revelation that Edward Snowden absconded from NSA with secret files on a thumb drive has generated predictable gnashing of teeth about the use of portable USB drives in secure organizations. At the same time, government and business organizations are successfully implementing secure deployments of portable USB drives so that employees can transport data they need to be productive.
The technology issue is one of competing needs: To be productive, mobile employees need the mobility, offline storage and security afforded by USB drives. To secure data, IT needs control of how employees move information and what information is moved.
The fact is that today, IT can take control without blocking USB ports. We’re not sure what safeguards the NSA had in place, but there are technologies that could prevent or mitigate this kind of insider threat. For example, secure enterprise device management software can offer:
Device Location – with managed USB drives, software can show the locations of every managed device when they connect to the Internet on a map. This allows tracking of a device that has “gone rogue” and could aid in recovery.
The “Silver Bullet” – the ability to either password-disable or perform a remote kill to completely disable the device if it goes missing or someone is suspected of copying data they should not have on the drive.
Geofencing, IP Blocking – It is possible to add rule features so that unless the device meets certain conditions, the data is automatically wiped. For example, IT could enable “geofencing” so that if device is outside the country, the data is wiped – or if it is on an unapproved network, or outside a certain IP range.
Have a Consistent Data Security Policy
It’s really a matter of having a consistent policy for your data at rest. Many organizations require their PCs and Macs to have full disk encryption enabled. But that policy is not enforced when it comes to removable media like a USB drive. By using a manageable and encrypted storage device you can maintain a secure policy for your data no matter where it goes.
If we look at the SANS Top 20 Security Controls, Critical Control #17 – Data Loss Prevention specifically addresses how best to handle sensitive data and prevent it from leaving your organization without permission. The advice from SANS is to, “deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data,” and that “enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices.”
For workers who travel, teleworkers shifting between work and home, or contractors working with your data, a secure, managed USB thumb drive is more secure than online file sharing, and certainly better than unencrypted and unmanaged notebook computers, USB devices and smartphones. And management adds an extra layer of security against both external and insider threats. IT can address a number of potential security threats by implementing policies that require uses to use encrypted flash drives.