How to Prevent Thumb Drive Security Disasters
For such a small device, the plastic, handheld USB flash drive can cause big security headaches. Even if you have robust end-point security and establish rigid policies about employee use of these drives, employees still find a way to copy financial reports and business plans for use at home. While other security breaches are more traceable, a flash drive is more difficult to monitor, especially after the employee leaves work.
Some security professionals suggest a radical approach to locking down USB flash drives. Sean Greene, a security consultant at Evidence Solutions, advises his clients to use a clear silicone caulk and fill every USB port on every PC to prevent USB attachments. He says the only way employees can transmit sensitive business documents is by email, a method that his clients can easily monitor.
Chris Harget, a spokesperson for security vendor ActivIdentity, adds that many military organizations don't allow the drives at all, and they have resorted to gluing USB ports closed to prevent breaches.
Yet, in the modern IT climate, CIOs know they have to provide the services employees need to do their jobs, and that can include using a USB drive. For example, in a sales organization, employees often need to load PowerPoint slides, which may contain company financials, onto a USB flash drive.
Some organizations have found ways to deter data breaches while still allowing employees to use the devices. A common theme is to have the data encrypted. "For low-cost drives that do not contain their own encryption engines, a strong software-based encryption solution is fine and can meet even the lower-end government certifications," says John Girard, a Gartner analyst. "The best practice is to never write data to external media that was not encrypted in the first place."
Here we profile four organizations that have taken slightly different approaches to dealing with thumb-drive security to match the organizations' specific needs and policies.
1. City of ColumbusApproach: Uses Intelligent ID software to categorize files, and then assign a level of encryption on the fly.
The City of Columbus is serious about thumb-drive security. "Because this external media could be easily lost or stolen, we are concerned about intellectual property theft and the loss of sensitive data, whether maliciously or accidentally," says the city government's CIO, Gary Cavin.
The city uses classification software from vendor Intelligent ID that does more than just encrypt data during file transfer. The software can be configured to encrypt data for a specific type of user or department, or even for specific file types, such as Microsoft Excel files.
Cavin says the city even marks files for encryption based on the data contained in the file. If the software finds a file with a Social Security number, the data is automatically encrypted. To read the files, an employee needs an encryption key. In some cases, they can transfer files in a rush to a flash drive, then request that IT send them the encryption key later to open the files.
Derek Brink, an analyst at Aberdeen Group, says Columbus is using what he calls an "active/fine-grained" approach, where every sensitive file is encrypted and the city constantly monitors all thumb-drive data transfers. By using the encryption keys, the city is also able to control how the data is accessed once the thumb drives leave the premises.
2. TurkcellApproach: Uses classification software from Titus that monitors Microsoft Office business documents and alerts users when they try to copy that data to a thumb drive.
Turkcell is one of the largest wireless carriers in Turkey, with more than 30 million subscribers, 2,800 employees, and about 5,000 computers installed in the corporate office in Istanbul. The company classifies every file and adds encryption when employees use thumb drives, but they also use a unique alerting system to warn users that they are about to copy sensitive data.
Gurkan Paplia, manager of enterprise infrastructure and security, says the company encrypts confidential data transfers to thumb drives. But it also uses Titus Classification for Office because most of the transfers for Microsoft Office files require extra security. (Also, the existing encryption engine they use can lead to false positives, flagging files as confidential when they are not.)
Girard says a default approach for any large company should be to block writing to any thumb drive. If there is a situation where a file must be copied, the employee can call the help desk for authorization based on job requirements and manager approval. That's what Turkcell has automated with the pop-up alerts.
Organizations should use a "least privilege" approach to thumb-drive security, similar to how Turkcell only allows the transfer of Office files, adds Damon Petraglia, a director at Chartstone, a security services company. CIOs should determine whether a department or specific employee really needs to transfer files to a thumb drive; if they do, the company should find a way to allow only certain types of files. In other cases, thumb drives should not even be allowed.
"If an employee does not absolutely need to use USB devices and thumb drives to complete his or her business functions, then these ports or avenues should be disabled," he says. "The only USB ports which should be open are dedicated to only those employees where it is essential to the business function."
3. CIGNAApproach: Allows employees to copy encrypted data, but they are prompted to type in a reason why they're copying. The reasons are later compared to the actual file transfers.
At CIGNA, one of the largest health insurance companies in the U.S., with nearly 20,000 employees, the goal is to provide employees with enough flexibility to get their jobs done. Craig Shumard, former chief information security officer, says employees are allowed to use USB flash drives to transfer files, but there's a security strategy, too.
First, Shumard says, the company uses Verdasys Digital Guardian software to monitor all ports and encrypt data transfers. He says he is surprised how many large organizations do not take this basic step. Next, when employees try to transfer files to a thumb drive, they are prompted to type in the reasons for the transfer. Later, the data they actually transferred is compared to those reasons.
This approach gives the employee the sense that they have the ability to transfer the files, but there will be accountability for those actions. Shumard says the approach reduced the anxiety employees have over doing their jobs - they might need to transfer files in a pinch to take them home for the night, and the employee might even decide it is more important to get the work done than to be secure.
Brink describes the approach at CIGNA as "active/coarse-grained," in that the health insurance company uses heavy encryption, blocks and even quarantines files, and monitors behavior -- but the policies also include end-user justification for the file transfer and gives employees a sense of control.
4. University of Alabama, Birmingham Health SystemApproach: Uses DeviceLock to monitor ports and encrypt data. Allows staff and students to use thumb drives at will, but all file transfers are monitored and recorded.
While many organizations rely on encryption to protect from thumb drive breaches, that is not the only approach available. At the University of Alabama at Birmingham (UAB) Health System, about 1,700 employees routinely use thumb drives, mostly for copying PowerPoint slides. However, as an organization that must adhere to HIPPA standards for patient records, the UAB Health System uses a multi-pronged approach.
First, in most cases, most USB ports are blocked entirely using DeviceLock software. This prevents most unauthorized file transfers. When doctors have a legitimate need to use a thumb drive, they can use an approved IronKey thumb drive that adds encryption. The software maintains a strict whitelist of approved IronKey drives assigned to employees.
The medical center chose this approach after conducting research about three years ago, says Terrell Herzig, the data security officer at UAB Health System. The organization monitored the use of all USB ports to see which files were transferred, and found that employees were using all sorts of USB thumb drives, as well as many brands of USB audio recorders.
Today, most employees will see an alert when they try to transfer files to an unapproved thumb drive. They can then call the help desk to request an IronKey drive to use. Using only approved devices affords a few other advantages. One is that the organization can shadow-copy file transfers to keep a record of which files were transmitted. Herzig says employees can also use the 1GB drives for other purposes while travelling or for home use.
Brink, the Aberdeen analyst, says the UAB Health System approach matches the "active/fine-grained" security that the City of Columbus uses, relying on encryption and monitoring, but focuses more on the thumb drive itself. He says organizational policies shouldn't be too soft or too hard (such as blocking access to almost all thumb drives) but should find a balance where the organization adopts standards and can encrypt on the fly.
Petraglia also urges companies to use a multi-pronged security approach to thumb drives where there are several tactics employed, not just one. "Once the data is on an employee's thumb drive the organization no longer controls it," he says, leaving the data open for theft. "The employees can [then] make copies or send that data from and to computers outside of the organization."
Whether the chosen security approach is to allow only one approved thumb drive, prompt users for the reasons they need to copy data, allow only Microsoft Office transfers, or classify files for approved transfers, each technique addresses one simple reality: Employees will use thumb drives, and they will find ways to continue using them.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology.
Read more about security in CIO's Security Drilldown.