Making USB thumb drives secure enough for government work

The security risks associated with the use of removable storage devices -- especially USB thumb drives -- keep government IT managers up at night. Get tips on mitigating these risks.

The security risks associated with the use of removable storage devices—especially USB thumb drives—keep government IT managers up at night. The Department of Defense (DoD) had actually banished flash drives and other removable storage devices in November 2008 when it was discovered that the source of a virus spreading through military networks was a USB thumb drive. Last February, DoD lifted its two-year-old ban on flash drives and other removable storage media, but imposed the most draconian restrictions on their use.

Under the department's new rules, only authorized personnel can use portable storage media, and the drives must be government-procured and owned and can only be deployed in mission-critical operations. In addition, users and devices are subject to random audits.

When encrypting the data on a drive, you should also encrypt the file name, you could learn a lot about what a file contains simply by the name you give it.
Joseph BelsantiVice President of MarketingWinMagic Inc.

Despite the formidable security risks, USB thumb drives and other removable storage have the undeniable utility of being small, portable and inexpensive. Navy Department chief information officer Robert Carey, head of a DoD "Tiger Team" charged with setting removable-media policy, has acknowledged that USB thumb drives are extremely useful for data transfers between computers, including operating system patches and antivirus updates, especially in constrained areas, such as on the battlefield or aboard ships.

But the USB thumb drive problem extends well beyond DoD. These flash drives "have become ubiquitous," said Karen Scarfone, a computer scientist in the National Institute of Standards and Technology's computer security division. "I think users tend to think of them as harmless. They don't understand the security risks of using those devices."

USB thumb drive encryption not enough

In the last two years, industry has stepped up to improve the security of flash-drive use, said Scarfone, co-author of NIST's Guide to Storage Encryption Technologies for End User Devices (.pdf) (Special Publication 800-111), which addresses removable-media security issues.

For example, a range of vendors now offer software that provides centrally administered and policy-driven control over access to removable storage media and encryption of the data they contain.

"Any sort of managed solution is going to be preferable in terms of security," she said, adding that fully encrypting the data on the drive is an important step but it has be coupled with an authentication mechanism that restricts access to the data. "If you don't require authentication, the encryption doesn't do any good," she said.

When encrypting the data on a drive, you should also encrypt the file name, said Joseph Belsanti, vice president of marketing for WinMagic Inc., a firm that works with Defense Department agencies on data security. "You could learn a lot about what a file contains simply by the name you give it," he said.

Current best practices for protecting data on portable storage devices embrace full disk encryption plus a key management system, Belsanti said. In addition, "you want to have a central methodology of installing, configuring, deploying and managing these encryption agents," he said. When keys are managed by a server and then synchronized with Active Directory, only authorized users can use portable devices to share data, he said.

The latest software also will let managers "white list" USB flash drives by brand, model and serial number so that only those devices will work on authorized machines, Belsanti said.

Next: How NIST, the government's lead agency on technology and security, ensures data security on portable storage devices used by its own personnel.

About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.

Dig Deeper on Government information security management