It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines?
Choosing between security and business functionality has always been a struggle, and it is up to the security officer, or whoever has been delegated this type of position, to decide what is best for the organization. There will be times when security needs outweigh business functionality needs and vice versa.
However, here are three steps to help you.
- Examine what regulations you must comply with and how the methods used to transfer sensitive data can make your organization non-compliant. This will put you in a better position to "lay down the law" and obtain the necessary funding from management.
Each of the following regulations has to secure some type of sensitive data. While none of them specifically require protection of removable devices, if sensitive data resides on these devices then they fall under the requirements of these regulations.
- Learn what sensitive data your users can access and potentially remove. Most environments have sensitive data transferred throughout the network and in too many accessible places. Centralize the organization's sensitive data in one or two locations, and encrypt it while at rest and in transit.
Finally, implement strong access controls on the central locations where the data resides. Unfortunately, for most employees to do their work, you will need to allow sensitive data to reside in more places than you would prefer – as in user workstations and laptops. In this type of situation, most organizations cannot ban the use of removable storage devices. To ensure sensitive data is properly protected, implement a product that controls how removable storage devices are used and monitor the type of data saved to these devices. Many of these products allow you to develop a "white list" of devices that are allowed. All other devices on the "black list" are disabled. Finally, consider implementing an encryption mechanism and password protection for the removable storage devices. Some of these products provide these options.
It is true that removable devices usually fly under the security radar. This is because security teams are too busy attempting to secure the more traditional methods used for data transfer, and removable storage devices have not fully hit the consciousness of those responsible for securing sensitive data, yet. Do not overlook PDAs, digital cameras, smartphones, Bluetooth and infrared devices. These are all potential points of danger; all allow data into and out of your environment, and they must be properly identified and controlled.
It is also necessary to make users accountable for their actions. This is where most organizations fall short. Integrate removable storage risks into your security policy. Provide configuration standards for the type of product you choose to purchase and implement. Integrate these types of risks into your security awareness training programs and when people do not do as they are told, management should hold them accountable and potentially make an example out of them. Sadly, users will usually ignore the rules unless the rules are accompanied with repercussions. Since organizations can now get hit with penalties themselves (SOX, GLBA, HIPAA, Privacy laws, etc.), users need to be forced to act responsibly.