Reaping All the Benefits of Secure USB Drives Under Management Control
A secure USB flash drive instantly secures all stored data, using hardware encryption and a mandatory password. The point of introducing this technology into your organization is thus apparent: Never again will you lose data on a stick.
Executive Summary
Several factors to consider as your organization prepares to procure secure USB flash drives, especially regarding central management of this technology.
- First among these is the speed and ease of deployment: How quick and easy will it be to distribute drives to users? Remember also that provisioning and delegation of rights to administrators should require as little effort and incur as few costs as possible.
- A second factor to consider is the level of control you will have over end users of the USB flash drives. It is essential to allow only authorized software content, and when distributing content and software, you must be able to verify whether it has been received. You must also ensure that the drives enjoy efficient and effective malware protection.
- Consider also the need for privacy – don’t store passwords centrally! – and how you will comply with existing legislation and your organization’s policies. Ask yourself, can we audit the drive content? Does local law permit the auditing of end users at all?
- you must determine methods for the administration of every task. How will you assist offline users with a forgotten password? Can data from a lost device be quickly recovered to a new drive, and how can missing drives be tracked and retrieved?
- A fifth element to consider is integrating your current infrastructure. How can you incorporate the solution with your existing software? Does the software have hooks and APIs that you must know about? Is it possible to export data to your other systems?
- Finally, consider the overall situation regarding access to your systems; it should be easy to deny access to users and administrators who have left the organization. Rather than having to remove users explicitly from several systems, you should be able simply to update your central user directory
“Secure USB drives are everywhere. That is why they were invented: to move data around. Securely. ”
Introduction – Moving Beyond Locked-Down Devices
USB flash drives are an integral part of our working lives. Alongside laptops and smartphones, USB flash drives play a crucial role in enabling remote and flexible working patterns. Even more critical, USB flash devices give us mobile access to all those files too sensitive or too large to be downloaded over a public network.
A secure USB flash drive instantly secures all stored data, using hardware encryption and a mandatory password. The point of introducing this technology into your organization is thus apparent: Never again will you lose data on a stick.
Serious data breaches and malware threats caused by exploited, unsecured USB drives have left no industry unaffected. A Manchester police department was closed for days when a single USB drive infected its entire system with the Conficker virus. Zurich Insurance was fined £2.8 million for the loss of a portable data storage device. All these issues can be prevented with hardware-encrypted, secure USB flash drives. But secure drives alone are only part of the solution.
Evaluating secure USB flash devices alone can be a complex task, especially in assessing management systems against a clear baseline, which is a big timesaver. This paper offers a general discussion on some of the major problems a management system should help solve and how you can get the most out of the solution.
Management Should Add Value to Your Investment
Adding a system to manage your secure USB drives can attain additional security benefits crucial to any organization. The right solutions will provide complete control and visibility and support everyday usage by allowing you to manage your investment. But all management systems are not alike. Choosing the wrong solution can cause more harm than good. There is a risk of focusing so much on ‘the ball’ that you end up ruining your whole ‘game’ – the wrong solution can create management chaos and disrupt end-user productivity. Simply put, there is a great incentive to get it right the first time. Managed, secure USB drives can be productivity multitools that make it easy to share, transport, distribute, collaborate and work with data and virtual environments directly off the drive.
_____
Ask Yourself – How Do We Get Devices Connected to a Server and Under Management Control?
- How do we get managed devices into the hands of users?
- Is the process flexible? Can we ship devices and connect them at any point?
- Does each device need to be preregistered?
- How do we assign administrators to the central management system?
- How do we avoid creating a new user-group structure as we develop configuration and assign rights to users and administrators?
- Is the device connected to the server in a simple process that does not involve manual steps, extra codes, or other means that might confuse end users?
- How secure and easy is connecting a device to the server?
Devices Must Be Under Administrator Control
To attain any level of computer security, admin rights must not be assigned to users. The administrator should decide what is stored on the drive, authorize what software runs on the USB drives, install any needed software and send necessary files to the specific devices. With the right management system and the right person in the administrator role, users can relax and go about their everyday USB usage.
Contrast this approach with that of most organizations, in which the use of unsecure USB drives has spun totally out of control and, in some cases, caused total havoc, including such consequences as data loss and malware infections. Even secure USB drives can cause problems if end users are left to fend for themselves when exposed to malware, phishing, and social engineering attacks. These issues often can be traced back to the devices being out of the administrator’s reach.
The danger of viruses tailored to fit USB drives currently ranks as the number one threat for several consecutive years in most major antivirus vendor reports. And yet, the likelihood of a malware infection is almost eliminated by simply stripping the end user of admin rights.
Proper management can elevate the productivity of your organization’s secure USB drives without increasing security risks by enabling secure data exchange and collaboration on both trusted and unknown machines.
Ask Yourself – Who Is in Charge of the Devices?
- How do we ensure that only preapproved software is used on the organization’s devices?
- Are we able to roll out new portable software to remote devices without user interference or assistance?
- How does the solution protect against USB viruses, not on the virus lists (day zero threats)?
- Does the malware protection still allow the user to work with the USB device?
Both Privacy and Compliance Must Take Precedence
A central management system is robust. A new solution mustn’t cross the line between privacy and compliance. When an organization implements a secure USB drive, the main system mustn’t store copies of the device’s password. Storing the passwords centrally would violate a basic security principle and render hardware security useless.
USB drive management systems typically collect information about the user’s device and activity; an administrator can trace the user on a map within the central system. This can be an essential tool for some organizations, while in other cases, it can cause severe privacy and security issues. Still, the organization should have complete audit control if this is under the existing legislation within its jurisdiction. Therefore the organization must have the option of operating the system with all auditing modules in an ‘off’ mode.
When deciding on a management solution, your organization must ensure server and server-to-device security and integrity. In a best-case scenario, the organization can lock down all communication using private certificates. This will ensure that eavesdropping and server breaches are not an issue.
You should also carefully assess what bringing in a new system and new users mean. When users leave the organization, how do you ensure they can’t access sensitive information on a USB drive or log in to any of your management systems, causing a severe data breach? Ideally, all authentication attempts will be synchronized with your central user repository. When you disable a user in your LDAP database, that user should be locked out automatically from any other systems or data.
“Proper management can elevate the productivity of your organization’s secure USB drives without increasing security risks…”
_____
Ask Yourself – Is the Solution Compliant with Legislation and the Organization’s Policies?
- Do we prohibit storing user passwords centrally in plaintext?
- Can the auditing modules be turned off?
- Is it possible to deactivate privacy-sensitive features?
- How do we assure confidentiality of server-stored information?
- Does the solution accept private certificates?
- Who could have access to the server and server-to-device communication?
Devices Must Be Managed for Everyday Life
Your organization wants to enjoy the benefits of USB drives without the downsides. Users must go about their daily business at their pace without being limited by the security protocol. Any task that can be made automatic and transparent for the end user should be implemented. This will ensure that users quickly adopt and accept the secure device as another work tool.
A secure USB drive is a small device living a hard-knock life. It will be dropped, forgotten, left in pockets to be laundered, and sometimes even stamped upon. And compare these superficial, exterior dangers with the interior risks: resetting forgotten user passwords, cloned data, enforcing password policies, and failure to adopt (and even later change) a security policy.
Secure USB drives are everywhere. That is why they were invented: to move data around. Securely. Therefore, the management solution does not require the administrator, user, and device to be in the same place to perform a procedure as simple as resetting a device password or recreating a lost device. Nor should the administrator have to rely on an internet connection to get the job done. For example, say an executive has forgotten a device password, and the big presentation is five minutes away. You want to give him the correct answer – and that answer is not ‘I need you to fly back to the office to access the presentation.’ Given the right circumstances, the administrator should be able to factory reset, terminate and disable devices; assign devices to new users, and even recreate lost devices – without leaving their desk. And remember, these devices might be dispersed all over the world.
“Managed, secure USB drives can be productivity multitools that make it easy to share, transport, distribute, collaborate and work with data and virtual environments directly off the drive.”
_____
Ask Yourself – Is the Security Solution Built for the Real World?
- How do we assist a disconnected remote user with a forgotten password?
- Does the solution play well with other endpoint security systems?
- How do we recreate a lost device without interfering with the user’s everyday work?
- Can the organization activate backup for all devices?
- Is the device backup automatic, transparent, and incremental?
- Is the administrator able to clone a lost device onto a new, off-the-shelf device once the user simply plugs it in?
- Is it possible to display an organization-wide ‘lost’ message to devices that have been reported lost?
- Is the administrator able to control and support user devices with a click of a button without being on location?
A Long-term Solution to a Moving Security Target
It has been ten years since the USB drive came on the market, and the world’s leading organizations recognize the benefits of managing secure USB drives. This is proven technology, an emerging industry that is demonstrating fast growth. New technological breakthroughs include running full virtual desktops of the devices and letting them double up as two-factor authentication tokens.
Ask Yourself – What Does the Future Hold for This Technology?
- Is it possible to get access to a software escrow?
- Is there a device API that will assure that future integrations will be possible?
- Is there a server API that can make it possible to access the central system securely?
- Does the device support a signed secure update?
Moving Forward – Managing Devices Can Be Easy and Quick
There is a sense of urgency when solving the USB drive’s security problems; organizations must take the necessary steps to avoid losing data and attracting malware. Adding management power over your organization’s secure USB drives can be a straightforward, no-fuss procedure.
The right central management system will make the most of these intelligent devices. It will empower the organization to manage each device’s life cycle over the internet. It will permit the organization to assign secure drives to new users throughout each device’s technical lifespan. With the click of a button – what seems like a stroke of magic – your USB security solution will be upgraded to a full-fledged, secure productivity tool, thus easing the burden for your organization, your central administrator, your support staff, and your end users.
Sources
1) http://www.scmagazineuk.com/greater-manchester-police-hit-by-conficker-from-infected-usb-that-leaves-itunconnected-from-its-network-for-three-days/article/162904/
2) http://www.scmagazineuk.com/zurich-insurances-fsa-fine-should-act-as-a-warning-on-the-importance-ofprotecting-sensitive-information/article/177482/