|
A definitive answer to this question will depend upon the economics of the enterprise and the nature of its IT investment, but I think some of the high-end, encrypted, self-deleting USB drives are worth looking into and may be a good investment. What distinguishes these drives is a comprehensive approach to security, with the encryption and key storage taking place on the drive, which is itself physically well-fortified. This approach has the potential to defeat several types of attacks.
Although physical theft or accidental loss of the device still has the potential to create a major inconvenience, the self-deleting feature is a good defense against physical theft of the device. The mechanism allows the device to erase all the data stored on it in the event of repeated attempts to access the data using the wrong password, which provides a lot of peace of mind when a device containing sensitive data goes missing. The feature, however, does underline the need for frequent backups.
Beyond combating simple physical theft, properly armored USB devices can defeat attempts to beat their encryption through physical access to the chips. And devices that contain their own keys have the potential to defeat attempts to capture keys from system memory. Note that the operative word here is "potential." I have not had a chance to conduct a thorough review of these devices, and so I can't say that they implement their encryption schemes in a foolproof manner. That's why I recommend that enterprises investigate them further before adopting.
Some of these devices are also sold with an online component to enable secure communications and backup of data and keys, as well as provide malware protection. Again, this sounds like a sensible approach, but real-world implementations would need to be tested before betting the security of your enterprise's data on them. And, of course, these devices are no defense against a user who is prepared to be dishonest and sell your data to a competitor. For example, I don't see anything in the default configuration of these devices to stop a user handing the encrypted drive to a stranger who then plugs it into his or her laptop, enters the whispered password and copies the targeted data.
Implementing this technology in an enterprise may hit practical limits in the area of price and capacity. I just checked the space used by what I consider essential content on my laptop, and it takes up more than 40 GB. That number does not include my 30 GB MP3 collection, but does include a fairly large photo collection that I could conceivably exclude from "essential work files." That means a 32 GB flash drive might work for me, and encrypted drives of this capacity are now available, although you pay a premium for high capacity. On the other hand, my work these days includes some storage-intensive video editing, so I might not be a typical enterprise user. The bottom line is that prices of these devices will continue to fall over time and capacities will increase, so they may fall into line with enterprise economics at some point in the not-too-distant future. Conducting an in-house trial of the technology before then may be the smart thing to do.
More information:
Ed Skoudis explains how to fight viruses and malware with your USB flash drive.
A SearchSecurity.com reader asks our expert panel, "Do USB memory sticks pose enterprise threats?"
|
