|
With the inclusion of multiple USB, Fire Wire and Bluetooth channels on desktops, laptops and other types of end points the ease of moving large amounts of data for storage and business purposes has never been easier. These devices and other removable media allow users to extract huge amounts of data in an instant making sensitive data on any computer vulnerable. One of the most popular USB storage devices is the Apple iPod & iPhone. Consequently, the new term “pod slurping” as a slang term for transferring files to these devices and likewise, “bluesnarfing” entails stealing data from a wireless device by way of a Bluetooth connection. Whatever the term, it’s very easy to move significant amounts of sensitive data from an endpoint to a USB storage device, and these transfers almost always go undetected by enterprise security controls. Once sensitive data has moved to a storage device it is untraceable and easily removed from the enterprise and compromised. The act of moving this data with out an audit trail or encryption also constituents violations of regulatory laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), International Traffic in Arms (ITAR) in the case of a foreign national, a myriad of ever increasing state privacy laws and of course PCI compliance.
To offer some level of risk mitigation, many companies have deployed a removable media tool that encrypts the entire USB drive or any files being copied to a USB drive, restricted the use of USB drives and in some extreme cases, even glued shut the different computer ports for machines in hi-risk locations. These approaches offer some level of efficacy but in no way offer a preferred solution to mitigate data loss risk as they fail to:
-
Offer audit records of data moving to mobile devices and are unhelpful in compliance audits and investigations
-
Automate both data movement and encryption controls, instead hoping end users to enact the control
-
Offer a solution that can align business processes and security policy, actually enable greater collaboration across end users.
-
Deploy in a single integrated platform, instead forcing unwanted infrastructure, agents, key management systems, and reporting interfaces
-
Cover anything greater than a single data loss channel (USB) requiring additional tools to cover other loss points (Fire wire, DVD, Bluetooth, as well as email, FTP, Cut & Paste and more)
The last two points hide an even larger information protection problem; the failed strategy of deploying multiple point tools across all the potential channels of data loss. Companies that have taken this strategy continue to see large data losses as well as failed audits. The lack of a unified information protection solution leaves large gaps in policy execution and actually increases risk due to un-needed complexity.
Digital Guardian Removable Media Encryption
Digital Guardian RME provides transparent and automated data level or device level encryption and control of both managed and unmanaged device. With Digital Guardian, encryption and decryption can occur automatically and without the user’s knowledge for files being moved to mobile devices by authorized users on machines where Digital Guardian Agents installed.
Benefits of Digital Guardian RME
-
Manages data and devices individually by file, device type, brand or model with uniform set of policies.
-
Eliminates the need for multiple device management and encryption tools.
-
Delivers unified file and device encryption, access and audit policies in a true single agent.
-
Configurable to provide agentless password based as well as transparent agent based encryption/decryption.
-
Provides complete audit of data level and device usage, encrypted file inventory (stored in clear text or encrypted) to meet compliance and forensic needs.
-
Automated key management, storage and destruction system, centralized via policy for easy management
Digital Guardian’s patented encryption capabilities are built upon the integrated key management system that authenticates Digital Guardian Agents to the Digital Guardian management console. Each Agent holds a certificate containing the public key for the Server and its own unique private key. The Server holds a current certificate, containing the public key of the Agent, for each Agent that the Server has communicated with. Digital signatures are also used to ensure non-repudiation of collected and reported activity data. This integrated server and agent encryption system eliminates the need for separate PKI/key management systems the overhead that comes with them.
Removable Media Encryption Use Case
It is critically important to understand the business use case behind the need to control and encrypt removable media. In most cases the initial business problem is defined by an experienced risk (loss of sensitive data through a USB drive) or a failed audit and the problem definition stops there. In fact, there are more questions that need to be asked in order to effectively mitigate the risk.
-
Where do the mitigating controls need to be deployed? Across the enterprise? In hi-risk locations?
-
Are different data movement controls needed? Audit, Encryption, user awareness, blocking?
-
How are employees currently using USB devices in their daily jobs? How can a solution be deployed that does not interfere with proper business activity?
-
Critically, if business activity is interrupted, are employees likely to create a new risk in the process of bypassing a single channel control like USB encryption?
It is critical for the security team to properly define the complete use case so that proper policy is defined and effective controls put in place, compliance requirements met and most important the business process is not interrupted or burdened.
|
