This article can also be found in the Premium Editorial Download "Information Security magazine: Combatting the new security threats of today's mobile devices."
Download it now to read this article plus other related content.
Thumb drives, removable memory cards and smartphones often carry business data without IT permission, oversight or protection against loss or theft. Unfortunately, these handy little portable storage devices can jeopardize gigabytes of sensitive information.
According to a study by Applied Research-West, three of four workers save corporate data on thumb drives, including customer records (25 percent), financials (17 percent), and business plans (15 percent). Yet, fewer than half of businesses routinely encrypt thumb drives. Fewer still consistently secure data copied onto today's rising tide of consumer smartphones.
Some companies underestimate business risk posed by unencrypted portable storage. Others acknowledge the risk but, in lean economic times, lack the budget to battle it. But these excuses could leave employers in hot water if a regulated data breach occurs.
"If [a portable device] carries customer or payment information, you have to protect it, no matter who owns it," says Mark Jordan, senior product manager at Sybase. "If you can't afford to manage and secure it, don't store sensitive data there. It's a cost versus liability decision; even one breach could bankrupt a small company."
REGULATORY COMPLIANCE DEMANDS MORE THAN ENCRYPTION
Regulatory compliance tends to drive portable storage protection projects. From Sarbanes-Oxley Act (SOX) and the Federal Information Security Management Act (FISMA) to the California Senate Bill 1386 and Massachusetts Data Protection Act, companies have plenty of motivation to stay out of breach headlines.
In April 2009, a single BlackBerry stolen from a hospital put 3,200 patient records at risk. In October 2009, one 4 GB thumb drive stolen from a worker's car exposed more than 15,000 community college student and employee records.
Unfortunately, data breaches such as these are no longer rare or limited to laptops.
"If I'm a compliance officer, responsible for keeping data private so that my company can thrive, I have to be thinking about not just my own machines, but data everywhere," says Sean Glynn, vice president of marketing at Credant. "My company is still responsible for that data and could face heavy fines if I can't report on its status."
But, from giveaway thumb drives to personal iPhones, many portable storage devices enter the workplace without IT approval.
"You could try to block those devices, but that horse has left the barn. Because it is executives who bring in the latest gadgets--executive bling--any policy that blocks everything [unknown] quickly gets broken. Many of our customers are at the stage of auditing where data is going, trying to decide what to do," says Glynn.
Jordan counsels customers to consider all possible data loss vectors for each device. "Suppose a lost device is protected with FDE and restrictive passwords. That's great, but what happens when [a thief] removes that device's SD or SIM card? You have to make sure that everything is protected and that you can detect any attempted breach," he says.
Rigorous protection may also require more than native encryption. For example, "There's a perception that if you lock your BlackBerry, everything is encrypted" says John Jefferies, vice president of marketing at IronKey. "But the Mantech Crowbar can snap the contents of a BlackBerry's SD card quickly, cracking a 4-digit PIN in 30 seconds."
While standalone media encryption is sufficient for some businesses, it may not satisfy auditors. In addition to centralized policy enforcement and reporting, "Some customers feel that they can't comply with SOX unless they can unlock a device to recover data if an employee leaves," says Jefferies. "Remote wipe and kill have also become increasingly important; the Massachusetts law mandates that functionality."
DEFINING ACCEPTABLE USE
Most people who find a thumb drive try to read it and then start using it to transport files. Smartphone purchasers usually synchronize contacts and email during set-up. It is simply human nature to quickly copy a mixture of personal and business data onto these devices.
Risk reduction therefore begins with policies that govern acceptable use. Limit business data exposure by defining what can and cannot be copied onto each device and how that data may be stored, modified, deleted, or shared with others. Identify how device status and data movement will be monitored and enforced, including scenarios in which IT may recover or delete business (and perhaps personal) data.
Tim Matthews, a senior director at PGP, recommends that policies assume multiple devices per worker--some IT-issued, some not. "Each person probably has one laptop, one phone, and several USB drives that they want to take home or share with partners and co-workers. These days, people often have at least two or three USB sticks, plus a terabyte removable drive [for backup], that are not provisioned by IT."
Even business phone procurement seems to be changing. "The trend now, based on consumerization and cost, is to let employees buy their own smartphones," says Khoi Nguyen, group product manager, mobile security group, Symantec. "Some companies are giving employees a stipend towards whatever device they want to use. But, once users choose their phone, they have to sign [AUPs] where they agree to install certain required software and to let IT apply certain policies."
Given device proliferation, Ram Krishnan, senior vice president of products and marketing at GuardianEdge, recommends defining policies to control data flow. "Define granular blacklists or whitelists to restrict data transfer onto any removable media," he says. "In addition to [device] types, makes, and models, specify [permissible] port and file types -- for example, letting presentations but not spreadsheets be copied [via] USB."
To promote compliance, policies should reduce data risk while minimizing user impact. For example, Jesper Svegby, product manager for CheckPoint mobile security solutions, suggests defining very selective encryption policies for smartphones and SD cards. "Customers often encrypt calendar/contact files but leave the rest unencrypted, because users are very sensitive about anything that slows down their phone."
On thumb drives, minimizing user impact might mean letting workers edit files on home PCs while automatically deterring offsite threat exposure. When thumb drives are used to share files with third parties, policies might mandate encryption in a way that does not require recipients to install decryption programs. For policies to be effective, common use cases like these must be addressed, either by defining required practices or prohibiting unsafe activities.
|Data Protection: Should it be Device Dependent?|
| Vendors have different approaches to data protection on portable storage devices. |
Patrick McGregor, CEO of BitArmor, argues that data protection should be device-independent. "We take a fundamentally different approach because, in the world of removable media, a device by device approach doesn't scale," he says. "We protect data from the moment it's created by applying a 'smart tag' that goes with the data when it's copied onto a USB drive or home computer. The idea is to make data self-defending."
BitArmor uses software to watch over data as it moves, enforcing access and encryption rules embedded in the tag. IT-managed PCs can run an installed Control Agent; third-party PCs can run a lightweight Control Sentry embedded with the data. As a result, protection is persistent when data is copied onto any kind of thumb drive a user might acquire or even Windows Mobile smartphones.
However, vendors such as IronKey advocate (inherently device-dependent) hardware encryption. "We design our own chips, encased in a solid metal device that's tamper evident/resistant, using hardware-generated crypto keys that never leave the device and true random numbers," says John Jefferies, vice president of marketing at IronKey. Hardware encryption can better defend against brute force and cold boot attacks, while being less dependent on host/OS integrity.But data protection depends not just upon robust encryption, but also attack-resistant authentication and key storage. For example, Windows password prompt software used by Kingston, Verbatim, and Sandisk made headlines when researchers found they could capture and replay unlock sequences exchanged between a PC and those thumb drives.
Smartphones can face similar issues. For example, some versions of the iPhone are vulnerable to native PIN-code and encryption bypass attacks. To prevent corporate data access by compromised smartphones, products such as Trust Digital now check device integrity before allowing each email sync.
In short, device choice directly impacts IT's ability to protect any data stored there. Organizations with low risk tolerance may ban business data on consumer-grade thumb drives or smartphones. Others may adopt hybrid policies that permit limited data storage on riskier devices, but require corporate-standard devices for more sensitive data.
MANAGING PORTABLE STORAGE
To implement policies that protect business data, portable storage devices must be inventoried, configured, and monitored--no matter who owns them.
IT-issued smartphones were traditionally managed using OS-specific platforms like Blackberry Enterprise Server. But the iPhone's popularity fostered growth in unified consoles that manage heterogeneous smartphones. Platforms from Credant, Good, GuardianEdge, Sybase, and Trust Digital can now be used to provision and enforce data protection policies on Windows Mobile, Symbian, iPhone, and (sometimes) Palm. Although encryption capabilities differ for each mobile OS, unified consoles can still provide a single point of control and reporting -- for example, to quickly issue a remote data wipe command on any lost smartphone.
Centralized management also plays a critical role in protecting thumb drives. Some solutions are drive-centric--for example, IronKey, Kanguru, and Sandisk offer consoles to remotely provision, monitor, and enforce data protection on their own thumb drives. Alternatively, vendors such as BitArmor, CheckPoint, PGP, Sophos, and Symantec sell consoles that deliver unified management across their thumb drive, laptop/desktop, and (sometimes) CD/DVD encryption products. Here again, a unified console can streamline tasks that span multiple devices, like revoking all of a given user's data access.
Consoles that manage smartphone and thumb drive security are not yet common, although Credant and GuardianEdge have already done so. This could become a growing trend as enterprises cut device-level management costs by refocusing on their most valuable asset: data.
CONTROLLING DATA MOVEMENT
Of course, another way to reduce loss or theft risk is to restrict the data copied onto portable storage devices in the first place. For this reason, many companies pair portable data encryption with port blocking.
For example, Sophos SafeGuard PortProtector and SafeGuard RemovableMedia can be combined to secure data copied over interfaces such as USB, FireWire, Bluetooth, and Wi-Fi onto CDs, DVDs, and thumb drives. "First, PortProtector allows, blocks, or restricts portable media plugged into computers inside your network -- for example, denying iPods or allowing only devices of a particular type or under a specified size limit," says Nagraj Seshadri, product manager. "Then we encrypt data on the media itself, using key rings to easily share data with coworkers, partners, and customers while preventing [unauthorized] persons from reading it."
Port blocking can also be used to restrict the files copied from a desktop onto a phone or its removable SD card via USB or Bluetooth. However, data synchronized over-the-air to smartphones is usually controlled by a separate system, such as a mobile device manager. This could result in data leaks if policies are not coordinated -- for example, a user who can't copy a spreadsheet onto his phone via USB might try to get it there as an email attachment instead.
Eventually, analysts expect portable data encryption to paired with full-blown data leak prevention to enable content-aware filtering and encryption. Vendors that have already taken steps in this direction include Symantec and Trustwave (BitArmor and Vericept).
Finally, portable storage devices may contain malware that could be copied into the enterprise. "When Conficker spread [as an auto-run Trojan carried on thumb drives], it was no surprise to those of us who remember floppy malware propagation," says Jefferies. To mitigate malware threats, consider read-only usage modes, drive-resident anti-malware programs, and auto-run disablement.
PROTECTING DATA AT REST
Ultimately, data copied onto portable devices can be encrypted to deter unauthorized access, from pod slurping on unattended drives to hacking lost or stolen smartphones. Among portable data protection products, AES support is now common, and many enterprise-class implementations are FIPS 140-2 certified.
This might seem straightforward, but the devil is in the details. Questions to consider when encrypting smartphone, memory card, and thumb drive data include:
- Which files should be encrypted?
- Which keys should be used to encrypt them? and
- How are those keys created, stored, accessed and revoked?
For example, an encryption product may assign a different key pair to each user and group in the corporate directory. Whenever data is written to any thumb drive, policy determines whether encryption is required, and if so, which user(s) and group(s) should have access. As data is copied, it gets encrypted with a key that only allows decryption by the intended recipients. This makes it possible to share encrypted data with co-workers based on group affiliation. Users logged in with directory credentials won't need to enter extra passwords. If a user moves from one group to another or leaves the company, directory updates will cause data access rights to change automatically.
But what if a user wants to share encrypted files with someone not enrolled in the directory or edit encrypted files on a home PC? For sharing data outside the organization, users can often be given permission to apply an additional encryption password that they can give to recipients out of band. The password can be used to open the document off site, where it can be edited in place, using only the encryption environment carried by the drive. If and when that drive returns to the office, those files can still be accessed in the usual onsite transparent fashion. Some products can also create self-decrypting archives for files need only be protected in transit--for example, when mailing CD or DVD to a trusted third party.
Smartphone data sharing may be less likely, but can still present performance and portability challenges. "We can encrypt data on the device itself and on memory cards. On the device, administrators can define secure folders or choose to encrypt PIM [application] files," says Nguyen. "On cards, in addition to secure folders, users can define a special key to share a folder with another user or device." But, unlike a thumb drive, that memory card can only be decrypted on another device running the same encryption solution--for example, when moving files to a replacement smartphone.
Another approach, applicable to thumb drives but gaining popularity on employee-liable smartphones, is the encrypted sandbox. As Jordan explains, "In terms of encrypting the entire device, Apple hasn't given vendors the ability to really protect everything. Afaria can do things such as enforce stronger passwords or configure VPNs, but it cannot replace Apple's hardware encryption." For customers who find a phone's native protection insufficient, "We can also create a secure sandbox with our Office Mobile product, taking your email, password-protecting it, and encrypting it to keep that data safe in our little corner of the device." In fact, many customers use both approaches.
REPORTING PROTECTION STATUS
Finally, a critical component of any enterprise's data protection strategy is the ability to track status. "It's more than being worried about security. To be compliant, you need to be able to report on protection status, data status, policy status, and device status."
Centralized consoles serve as the conduit for making real-time status inquiries and generating historical reports, but the challenge can be gathering status and issuing commands to offsite devices--especially oft-disconnected thumb drives.
Some thumb drives carry agents that run upon insertion. For example, Nate Cote, VP of product management at Kanguru, says, "Our drives call back [to our server] over an encrypted tunnel, saying 'Here's my ID. Am I still approved for use?' If so, the boot sequence continues with setting or program updates and information needed for reporting purposes."
Like Kanguru, Sandisk's agent can remotely kill lost devices or audit them for compliance purposes. But Sandisk also gathers information for recovery purposes.
"We maintain an audit log of all files copied/from the drive, so that IT can reproduce that drive. We can also set a return-to-base time after which users must log into the domain to backup logs and data," says Dror Todress, head of marketing.
But of course, thumb drives (and to a lesser extent smartphones) may be used in venues without Internet access. "If you're on an airplane, our [Sophos] agent will use previously stored policies," says Seshadi. "The next time you log in, the agent updates itself. If an agent hasn't contacted a management center for awhile, it gets locked out--not by wiping the device but by disabling the user's keys." To defend against offline password-guessing, Sophos applies an exponential delay after each attempt, with lock out after x-number of tries.
BitArmor uses its SmartTag agent to track data access at the file system level. "We log when a file moves to a drive, all file opens/closes/deletes, when that drive last called in," says McGregor. Those events can be reported to BitArmor's console or sent to a SYSLOG server for use with third-party report generators.
But not all products track data movement. For example, "PGP Portable can report when and where certain devices were formatted to be encrypted, so that if a stick is lost, you have proof it was encrypted," says Matthews. "But we encrypt the whole container, no matter what's inside, so we don't track what files/folders are on the media."
Portable data protection auditing and reporting approaches vary, but centralized control and visibility are key differentiators between stand-alone device encryption and solutions that can meet enterprise needs.
Another important consideration is TCO; how well does a given vendor's approach dovetail with a customer's infrastructure and operations. Many vendors have started to focus on this part of the equation, giving large customers better/broader systems integration while offering small businesses a pay-as-you-go "cloud management" option. Attributes like these will only become more important as portable data storage devices continue to proliferate, and privacy laws make it harder to ignore them.
Lisa Phifer is president of Core Competence, a consulting firm focused on business use of emerging network and security technologies. Send comments on this article to firstname.lastname@example.org.
This was first published in March 2010