Securing Flash Drives within the Enterprise
Flash drives have revolutionized the business world with their convenience and portability; however, for infosec professionals, flash drives are a dual edged sword. Their tiny size often makes them easy to lose and their storage capacity allows massive amounts of potentially sensitive data to be stored and transported on them.
If lost or stolen, a single unencrypted flash drive has the potential to cause a massive data breach.
So how can infosec professionals deal with flash drives?
Ban them and there is the risk that productivity will suffer. Business professionals utilize flash drives constantly for sales data, customer presentations, marketing and more. But if they are allowed without having some sort of management plan in place they pose a very real security threat. So, can thumb drives be managed without severely limiting their functionality and convenience?
The answer to this will vary greatly depending on your organizational policies and security standards; however, there are options for using flash drives securely.
The starting point should be a well written and detailed security policy; one that is explained and made accessible to all employees (for more on this, check out this article). Clearly communicating the policy to employees and providing training is essential since they are the ones who will be carrying out and following the guidelines. The security policy should clearly outline secure flash drive protocol and acceptable security standards (i.e. - whether BYOD is acceptable, encryption mandates, password strength, etc.).
Another point on security policies: Review them frequently. Technology changes quickly, so a review of your policy should be a regular occurrence. After the review, update what needs to be updated, redistribute to your users and retrain if necessary, then schedule another review down the road.
Once you have a good security policy in place, you need a way to enforce some of the rules outlined within it. One of the best ways is with an endpoint security application. Endpoint security applications are available through a variety of vendors and come in a wide variety of configurations and prices. From simple USB device control to full system control, the choice will depend on your budget and needs.
You should create a whitelist (or blacklist) methodology for allowing or disallowing certain flash drives and users. Set restrictions on what data they can and cannot access and track data access and IP range. Some secure flash drive manufacturers can burn custom identifiers into their flash drives, allowing you to pair a memory stick to a user. This allows for easier tracking of exactly who is accessing what.
Remote management is a relatively new, but very powerful, feature for securing USB Flash Drives. Paired with endpoint security, it allows for a wider range of administrator control than using endpoint security alone. If you have a lost or stolen flash drive, remote management applications such as Kanguru Solutions Kanguru Remote Management Console (KRMC) allows you to remotely erase it, negating any possible data breach. In addition, Kanguru's remote management application allows for controlling password strength, invalid login attempts, IP ranges and more.
Encrypted Flash Drives
It should be a requirement that any thumb drives used within an organization be encrypted. Encryption is relatively easy to use and administer and it doesn't put a major damper on productivity either, so there no excuse for not using it. Devices with a high level of hardware encryption are preferred. Hardware encrypted flash drives have the least effect on performance and tend to be more secure than software encrypted flash drives.
Another option to consider is organization owned devices. By requiring employees to use company owned memory sticks with a lock down configuration it allows administrators to setup policies that can't be tampered with by individual users.
Some other options to consider are encrypted thumb drives with built-in anti-virus, tamper resistant design and drives that can limit the number of invalid login attempts. These are useful for preventing malware and also brute force attacks should someone without authorization attempt to access the device.
With the right combination of security policy, management tools and encryption, flash drives can be used in a safe, effective manner.
For more information on encrypted flash drives, checkout Eleven Questions to Ask When Buying a Secure Flash Drive (PDF)