Removable Media Encryption Module

Removable Media Encryption (RME) automatically enforces policy-based encryption for files copied, moved or saved to any USB and Media Transport Protocol (MTP) supported devices (e.g. thumb drive, MP3 player, camera, smartphone, etc.). RME allows any portable device to be a secure data traveler, eliminating the need and cost to require the use of specialty encrypted devices. Its adaptive policies also ensures encryption controls are only enforced for sensitive information on a device, meaning non-sensitive data can be moved to a USB device without encrypt being activated.

With the inclusion of multiple USB, Fire Wire and Bluetooth channels on desktops, laptops and other types of end points the ease of moving large amounts of data for storage and business purposes has never been easier. These devices and other removable media allow users to extract huge amounts of data in an instant making sensitive data on any computer vulnerable.   Once sensitive data has moved to a storage device it is untraceable and easily removed from the enterprise and compromised.  The act of moving this data without an audit trail or encryption also constituents violations of regulatory laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), International Traffic in Arms (ITAR), UK Data Privacy (DPA) and many more.

To offer some level of risk mitigation, many companies have deployed a removable media tool that encrypts the entire USB drive or any files being copied to a USB drive, restricted the use of USB drives and in some extreme cases, even glued shut the different computer ports for machines in hi-risk locations. These approaches offer some level of efficacy but in no way offer a preferred solution to mitigate data loss risk as they fail to:

  • Offer audit records of data moving to mobile devices and are unhelpful in compliance audits and investigations
  • Automate both data movement and encryption controls, instead hoping end users to enact the control
  • Offer a solution that can align business processes and security policy, actually enable greater collaboration across end users.
  • Deploy in a single integrated platform, instead forcing unwanted infrastructure, agents,  key management systems, and reporting interfaces
  • Cover anything greater than a single data loss channel (USB) requiring additional tools to cover other loss points (Fire wire, DVD, Bluetooth, as well as email, FTP, Cut & Paste and more)

The last two points hide an even larger information protection problem; the failed strategy of deploying multiple point tools across all the potential channels of data loss. Companies that have taken this strategy continue to see large data losses as well as failed audits. The lack of a unified information protection solution leaves large gaps in policy execution and actually increases risk due to un-needed complexity.

Digital Guardian® Removable Media Encryption

Digital Guardian RME provides transparent and automated data level or device level encryption and control of both managed and unmanaged device. With Digital Guardian, encryption and decryption can occur automatically and without the user's knowledge for files being moved to mobile devices by authorized users on machines where Digital Guardian Agents installed.


Benefits of Digital Guardian RME

  • Manages data and devices individually by file, device type, brand or model with uniform set of policies.
  • Eliminates the need for multiple device management and encryption tools.
  • Delivers unified file and device encryption, access and audit policies in a true single agent.
  • Configurable to provide agentless password based as well as transparent agent based encryption/decryption.
  • Provides complete audit of data level and device usage, encrypted file inventory (stored in clear text or encrypted) to meet compliance and forensic needs.
  • Automated key management, storage and destruction system, centralized via policy for easy management

Digital Guardian's patented encryption capabilities are built upon the integrated key management system that authenticates Digital Guardian Agents to the Digital Guardian management console. Each Agent holds a certificate containing the public key for the Server and its own unique private key. The Server holds a current certificate, containing the public key of the Agent, for each Agent that the Server has communicated with. Digital signatures are also used to ensure non-repudiation of collected and reported activity data. This integrated server and agent encryption system eliminates the need for separate PKI/key management systems the overhead that comes with them.