The proliferation of USB devices has been a boon for enterprise and consumer users alike, as synchronizing files onto handy thumb drives has become an easy way to synchronize, transport and backup data.
According to the Santa Clara Consulting Group, nearly 190 million thumb drives were shipped in 2009 alone (.pdf), averaging 8 GB apiece. Alas, these tiny tools have an alarming tendency to slip from pockets and purses, placing their stored data at risk. Here, we discuss how portable thumb drive encryption can help and what to look for in business-grade thumb drive encryption.
Thumb drive encryption: Pocket-sized protection
When a stolen, lost or borrowed drive falls into the wrong hands, encryption prevents any files stored there from being browsed, copied or opened without a key.
Full-disk encryption used on desktop or laptop drives employs local code to scramble and unscramble data. But thumb drives move files from one host to another, taking work home, carrying slides to a show, collaborating with colleagues. As such, USB drives benefit from a self-contained approach to portable data encryption: a drive that carries both an encrypted data container and a portable program that can mount/dismount and read/write that data.
Meeting business requirements
Free programs like BitLockerToGo, TrueCrypt (Traveler Disk Mode) and CryptArchiver Lite make it easy for individuals to protect their own thumb drives. Businesses can also mandate if and how these free encryption programs are used. For example, businesses can use BitLockerToGo policies to stop files from being copied to unencrypted drives and set password minimums to unlock encrypted drives.
However, businesses should consider commercial programs to meet the needs of large workforces that carry sensitive data on thumb drives. Enterprise removable media security products that can encrypt any thumb drive are available from BitArmor Systems Inc., Check Point Software Technologies Ltd., Credant Technologies, GuardianEdge Technologies Inc, McAfee Inc., PGP Corp., Sophos Plc., Symantec Corp. and others. Encrypted thumb drives for business are sold by storage vendors like Corsair, IronKey, Kanguru Solutions, Kingston Technology Corp., SanDisk Corp. and Verbatim Americas LLC.
Price, performance and features associated with business-grade products vary widely. Here are a dozen questions to ask when shopping for portable thumb drive encryption:
- Physical security: Do you need rugged, metal encased, tamperproof drives? Do corporate policy or standards requirements mandate components of a specified national origin or assembly?
- Encryption: Does the product use hardware or software encryption? What ciphers and key lengths are offered? Do the drives or programs need to be FIPS 140-2 and Common Criteria EAL certified?
- Keys: How are the crypto keys generated, stored, revoked and recovered? Can keys be stored in a hardware vault? If keys are sent over USB, are they protected from sniffing and replay attacks? Does revocation work for offline drives?
- Authentication: Can the container be unlocked by PIN, password, smart card, two-factor, pre-boot and/or domain SSO methods? What policy minimums can be enforced? How are brute-force cracking and keystroke logger attacks deterred (e.g., remote data wipe, auto data fading, virtual keyboards)?
- Scope: Does encryption apply to all files on the drive or only secure folders? Do your users need to selectively share encrypted folders or files with authorized users or groups?
- Usage: Do users need to extend read-only access to third parties? Do they need read-write access in a self-contained secure environment? Are you comfortable permitting offline (unsupervised) access, and for how long?
- Integrity: Can the drive deliver on-board (portable, host-independent) protection against malware infection and propagation?
- Portability: Which operating and file systems are supported for encrypted drive initialization, file creation/deletion, data reading/writing and utility execution?
- Initialization: Are tools available to speed and simplify thumb drive detection, activation and provisioning? Do you need to permit or deny drive activation based on type, make, model, serial number, user/group or any other policy-defined criteria?
- Management: Does the product provide for centralized IT audit and/or update for drive-resident encryption policies, crypto keys and firmware/software?
- Reporting: Can the product send drive/policy/data status to a central server for compliance or other reporting purposes? Is encryption status enough, or do corporate policies or regulations require tracking and reporting on file/folder activity (e.g., copies, reads/writes, deletes)?
- Integration: How does any given thumb drive encryption product fit with related infrastructure (e.g., user directories) and other security products (e.g., port controls, desktop disk encryption) used at your company?
Business needs vary. For example, Active Directory authentication is critical for some, irrelevant for others. However, questions like these can help any company get a handle on portable thumb drive encryption products, including the kinds of differences that exist between those suited for personal, SMB and enterprise use.
About the author:
Lisa Phifer is president of Core Competence, a consulting firm focused on business use of emerging network and security technologies.