Data loss has become front-page news recently due to several high-profile incidents at financial firms. Lost and stolen laptops are a major cause of data loss. This has led to financial services firms deploying disk encryption to protect sensitive data.
Where to begin?
Removable media poses a unique problem: it is disconnected, and can travel from system to system. How should it be controlled? One option is to disable the functionality completely, locking down the USB/firewire ports and blocking the installation and usage of external devices. Another is to implement more granular controls, allowing some devices, but not others. While the "all or nothing" approach is easier to implement, it's more restrictive and likely to disrupt certain office operations. The decision must be made carefully based on business operations as well as technical difficulties and the cost related to the implementation of these controls.
Here are some things to keep in mind when encrypting removable media:
- Create a policy. The first measure in any security program must be the establishment of good policies. Policies need to clearly define appropriate and inappropriate use as well as outlining what disciplinary actions will be taken if policies are ignored. In most environments, it wouldn't be feasible to ban all removable media or disable all CD/DVD burners. Decisions should be made while taking business operations as well as common practices into consideration. Once policy has been established, users must be made aware of the new policy through appropriate awareness training.
- Evaluate and implement technical controls. Some encryption products will automatically encrypt data copied or written to removable media. Another solution would be to control what sort of devices can be connected to corporate computers. For example, Windows XP lacks control over USB devices; USB is either enabled or disabled. Vista provides granular controls, to either allow or disallow specific devices or classes of device. This can easily be managed via Group Policy Objects (GPOs). There are also third-party software packages to allow control over what sort of external devices may be used or added to a system.
Additionally, there is a growing market of data loss prevention (DLP) products to assist in the tracking and management of information as it leaves your controlled environment.
- Have suitable audit controls. Auditing can provide a record of what data has been accessed, when, and by whom. It can also track who is using removable media.
There is no single measure that can address all the risks of removable media. As with most security measures, layers of controls and countermeasures are necessary to provide adequate protection. The key is to ensure the controls provide adequate protection without restricting or hindering normal business operations.
About the author: Randy Nash is CISSP with more than 25 years of professional experience in information security, system security, network security, personnel security, and physical security. First certified in ADP security and risk assessment in 1984, he has a long history of work with civilian, military and government entities. Randy also maintains the security website @RISK Online, where he regularly posts projects and articles on a wide variety of security topics.