Removable Media Best Practices

Transcription

1 WHITE PAPER PART TWO Business-aligned Security Strategies and Advice

2 Introduction In part one of this two-part white paper, we looked at the reasons that removable media has posed such threat to data security, and why many organizations have struggled to enforce controls as sensitive data moves to such devices as USB flash drives. We also looked at the foundations of how to start building a policy on removable media, and how to communicate and train end-users on the importance of security for these devices. In this second part, we will look at what kinds of controls should be implemented, and how an ideal removable media encryption solution should function CREDANT Technologies, Inc. All rights reserved. PAGE 2 of 9 For more information contact

3 Implement controls Once policies regarding removable media security have been established and communicated, it is possible to begin implementing the controls necessary to enforce those policies and monitor the progress of the initiative. The controls put in place to manage devices will need to reflect both the organizational policy as well as the types of users and data to be managed. Such controls will necessarily vary in the degree of restriction placed on removable media and how they are used, ranging from complete lock-down of USB storage devices to allowing the end user to determine what, if anything, needs to be encrypted. Complete lock-down Controls may be put in place to prevent any use of USB storage devices at all. This highly restrictive approach has a number of security benefits, but will also have a potentially significant impact on end users and business processes. Without the ability to use any USB storage devices on the endpoint, the likelihood of a data breach or infection by USB-malware is significantly reduced. However, end-users who are accustomed to using company-issued USB storage devices, or their own, will be required to re-evaluate processes and procedures and without early business unit buy-in and education, this policy is almost certain to produce significant user resistance. As such, it should only be adopted in areas where the risk of very sensitive information being breached is high, or where special circumstances apply (such as a shared system in a public area acting as a kiosk, for example). Allow only pre-approved encrypted USB devices A number of commercially available, self-encrypting USB storage devices already exist and are available on the market. These products aim to provide the convenience of a USB drive with enforced encryption, which resides on the device itself. This approach certainly has some merits and may be appropriate for certain users who habitually need to handle and transfer sensitive data. However, for the broader user community such an approach is likely to be costprohibitive. Furthermore, with either set of users, the use of non-approved devices must still be managed. That is, the risk that a user still uses a non-encrypted device for convenience and as such exposes data should be considered and accounted for. As a result, although pre-encrypted USB devices represent a good second-line defense against a breach, they do not address the fundamental management challenge and cannot be relied upon by themselves. Allow some usage but enforce encryption A more secure approach is to allow users to utilize their own USB devices, and to enforce encryption on them. This approach enables users to continue to use USB devices that they own, but reduces the risk of a breach by ensuring that any data on them is encrypted. There are a number of considerations that must be taken into account, however, when deciding on how to implement this approach. Specifically these revolve around usage of USB storage devices on nonorganization PCs (for example, when the user takes the drive home with them) and what types of data to enforce encryption on. These are addressed below: Use of the device outside the corporate network Portable storage devices, especially those owned by employees, will often be used outside of the corporate network. While this may be entirely sensible for many users, it may be that for some, any drive that has been used within the network (and which therefore may contain highly sensitive information) should never be used externally. This reduces the risk of an employee copying sensitive information onto a 2010 CREDANT Technologies, Inc. All rights reserved. PAGE 3 of 9 For more information contact

4 flash drive, for example, and then subsequently moving that information off the drive onto an unencrypted, unprotected system elsewhere. If this type of control is to be put in place, it is important to adequately educate users as to the implications of using a flash drive within the organizational network, as information on it will not be accessible elsewhere after that point. The alternative is to allow users to copy information onto a USB device, during which the information is encrypted, and then allow the user to choose whether to subsequently move that information onto a nonprotected system in the future. This approach, while providing the least impact to users, must be evaluated in the light of your organization s risk appetite, policy, the group of users in question, and the type of information that they are likely to be accessing. encryption of Non-corporate data Removable media storage devices belonging to users, which are likely to represent a significant portion if not the majority of the devices within your network, are also likely to hold information which is either not sensitive or may belong to the user themselves. As such, you may wish to put in place controls that will encrypt only new information added to the device. For example, a user who wishes to move a file from one system to another may insert a flash drive that also contains personal photographs, music files, etc. Forcing encryption of these files is unlikely to be necessary. Therefore, you may wish to allow users to retain personal, unencrypted information, and only require new information, copied from their corporate system, to be encrypted. Who encryption applies to If any of the above encryption controls are put in place, you must also decide which users the controls apply to. For example, you may wish to enforce a device encryption policy across the entire enterprise, or you may wish to only force encryption for certain types of users and/or data. Another alternative is that you may want some users to be allowed to choose for themselves. For example, you may wish to simply remind a user who inserts a flash drive into a system that this represents a risk of breach, and offer them the option to encrypt the information at that point. Clearly in this case, user education is essential especially if end users are being allowed to decide whether they want to encrypt potentially sensitive information. Also, should you adopt this approach, it is highly recommended that you are able to provide audit logs of the users decisions, should they become necessary for later forensic purposes. Such logs may also be useful in identifying potentially risky behavior, or even activities associated with an insider attack. In this case, integration with broader security processes and monitoring is recommended. It is also likely that you will have exceptions to any controls that you put in place. It may be that some users or administrators will have legitimate reasons to not want to encrypt information on a flash drive, or to use a flash drive in areas where other users would not be permitted. Generally, such exceptions should be role-based and administered in a consistent and welldocumented manner, ideally using an authoritative identity source such as Microsoft Active Directory. Monitoring and Reporting While protecting information on removable media is important, it is equally important to be able to prove that the information is protected, especially if a breach occurs. As such, one of the important considerations to address is to what degree removable media encryption reporting and auditing will be rolled up into broader, enterprise encryption reporting. If you have elected to allow some users to decide for themselves whether to encrypt data on their removable media devices, then it is strongly recommended that sufficient reporting be put in place to capture when and if a user elects not to encrypt information CREDANT Technologies, Inc. All rights reserved. PAGE 4 of 9 For more information contact

5 While this will not usually be a cause for concern, in the event of a breach, or if that user comes under suspicion of some form of insider attack, the ability to quickly determine if they have been routinely copying information to non-encrypted sources could be important. Furthermore, as a user is deprovisioned from the organization, knowing what, if any, non-encrypted information they may possess is very important to ensuring safe information management. What to look for in a solution Having discussed the concerns regarding removable media security and some of the types of technical controls and policies that can be put in place, it is worth reviewing what capabilities and features should be present in an ideal removable media encryption management solution in order to provide both the greatest degree of flexibility to integrate with existing security and operational processes and maximum security to prevent a breach. In this section, the capabilities discussed will be: Encryption strength Key management Key recovery Ease of use Ease of deployment Reliability Portability Device awareness Integration Remote Key Deletion Reporting and Auditing Each of these areas of capabilities is important and should be used in order to evaluate the suitability of a proposed solution. However, the relative importance of each of these areas will vary depending on your organizational structure, type of data to be secured, business expectations and needs, and regulatory pressures. Encryption Strength The capability to encrypt, and therefore protect, information on removable media is core to the operation of any encryption management solution. However, variations in encryption strength are unlikely to differ significantly between solutions. As a basic requirement, expect to see industry standard encryption algorithms such as AES (128 and 256), 3DES, or Rijndael (128 and 256). One consideration for US Federal Government agencies, or organizations that work with them, is to check for FIPS validation of the algorithm implementation. As the primary concern for removable media is that the device will be lost while containing sensitive information, the ability to perform remote key destruction (see later) may be more important than the specifics of the encryption solution as this will close the main vulnerability of most solutions. Key management Key management is ultimately the primary problem for all encryption programs. Keys must be readily available when needed by the legitimate data owner, but protected from illegal access. They must be securely stored, yet easily retrievable. Furthermore, in the event that the end user forgets their key, simple recovery of the data is a must. The ideal solution will enforce the appropriate key strength and provide centralized storage (escrow) of the keys. This will allow the end user to select his own key, but to have a copy of the key stored centrally. This central store has a number of benefits: 2010 CREDANT Technologies, Inc. All rights reserved. PAGE 5 of 9 For more information contact

6 It ensures that a copy of the key is available if the user forgets it. It enables administrators to access the information if the user leaves the organization. The process of centrally storing the key ensures that an audit record is kept of the fact that the device has been encrypted. It alleviates the user from having to enter the key every time the device is used within the corporate network. If the key is centrally stored, the encryption management solution should be able to retrieve it automatically as soon as the device is attached to a computer, it will authenticate the user based on their network credentials, and then provide seamless access to the information while maintaining full security. Such seamless access goes a long way to alleviating some of the challenges to encryption projects discussed in part one of this white paper series. Key Recovery As previously mentioned, one of the advantages of centrally storing the encryption key is that it allows for simpler key recovery in the event that a user is off-site and has forgotten the key they assigned to that device. However, the ideal solution would also allow for a degree of key recovery to take place completely autonomously from the central help desk function. In this case, the user would be prompted with pre-selected questions that would enable a challenge-response key recovery. This provides the user with a significant degree of autonomy, it reassures the end user community that they can maintain access to their data in the event that they are remote and unable to remember their key, and it reduces the workload on the central helpdesk functions. An optional, but potentially important, function is to enable a partial or complete lock-out of the device in the event that the user fails to access it a certain number of times. In such a situation, a cool-down period should be enforced (to reduce the costeffectiveness of brute force attacks) or if a complete lock-out is desired, this is achieved by destroying the local key on-device. If the key is destroyed, then the data should still be recoverable if accessed within the organizational network (see the section on central key management.) In some circumstances, it may become important to determine who the owner of the device is in order to recover the information for example, when a device is found but the owner does not know it has been lost. In such a case key recovery is again facilitated by the use of the centrally managed key escrow services of a solution. In the event that a user still needs help accessing a removable device, the help desk team should be able to issue a one-time key that provides access to that device for one instance, to allow a password reset. This enables the end user to access information, while maintaining appropriate security (as the help desk staff cannot use that temporary access key at a later date.) Easy to use While the primary objective of any encryption project is to protect data, a secondary objective should be to minimize the impact on end-user operations wherever possible. As such, any removable media encryption product should be easy for end users to use. Primarily it should: Minimize their need for interaction with the encryption solution Wherever possible rely on central key stores to decrypt data Enable users (where appropriate) to maintain non-en CREDANT Technologies, Inc. All rights reserved. PAGE 6 of 9 For more information contact

7 crypted information on the removable media if allowed (such as music files, personal information, etc) Provide simple key recovery that the user can initiate themselves Provide fast encryption of data on the device Protect the user from accidentally corrupting information if they remove the device during encryption As much as possible, operate completely transparently Reducing end-user impact will go a long way to eliminating some of the problems that encryption programs have faced in the past, as discussed in the first part of this white paper series. Easy to manage and deploy While reducing the impact to end users is important, reducing and streamlining the workload for deploying and managing the removable media encryption solution is also an important consideration especially when administrator time is at a premium. Ideally, the removable media encryption should operate seamlessly within the broader framework of encryption management across the enterprise, including full disk encryption, mobile device encryption, OS-level encryption and so on. As discussed, central management of keys and user-enabled key recovery will reduce much of the typical day-to-day burden on administrators and help-desk staff. Likewise, robust and recoverable encryption processes that do not cause problems if interrupted by the user are also important to eliminate unnecessary calls to the support desk. Central, simple deployment of policies and software will also reduce the workload of enforcing data protection policies as will centralized reporting and auditing (as discussed later in this section.) Reliable for end users when encrypting their devices As end-users begin the encryption process for information on removable media, it is essential that the solution in place is sufficiently reliable in that it will: Ensure the enforcement of policies for removable media use, even if not connected to the corporate network Provide rapid and reliable encryption of data that is to be protected Be sufficiently resilient in the event that a user removes the device during the encryption process The last point is especially important. Users may decide to postpone encryption and simply pull the device out of the endpoint. If the encryption solution is not sufficiently robust and able to recover, this can result in the device becoming unreadable and all information on it will be lost. Portability Making information easy to transfer is the reason that users employ removable media. As such, it is necessary to provide an encryption solution that will enable access to the information in a variety of circumstances (depending on your organizational policy see part one of this whitepaper series for a discussion on policy choices.) Ideally the solution should support: Usage within the corporate network normal use of the device within the perimeter Usage external to the corporate network or use outside of the network perimeter, on non-protected systems such as home computers Blocking of access that is external to the corporate network the option to prevent access to a device on a non-protected endpoint, to reduce the risk of information loss on a third-party system Flexibility to enforce some or all of these options is highly desirable. As discussed earlier, different groups of users may require different access policies and it is likely that you will need to enforce some of the above 2010 CREDANT Technologies, Inc. All rights reserved. PAGE 7 of 9 For more information contact

8 within different organizational groups to meet your goals. While portability of the data is important, another consideration is portability of the device itself. Many users will rely on dedicated USB flash drives however others may need to use such things as SD or XD cards. The encryption solution should be able to encrypt only the necessary information on the card without changing the fundamental operation of the storage device (which may render it unusable as a camera card etc.) Finally, cross-platform support may be desirable, supporting the need to take encrypted information from a Windows PC and move it to a Mac OS/X system seamlessly. Device aware Having an encryption solution that is device-aware is important in preventing accidental damage to mobile devices, which may appear as removable media. For example, some smartphones may connect through the USB interface and attempting to enforce encryption on them can result in damage to those systems that may be unrecoverable. The encryption management solution should be able to distinguish different types of device, and apply only those applicable policies to ensure minimum impact on the end-user. Integrated with broader encryption solutions Integration with the broader encryption management strategy has been mentioned a number of times already in this paper, but is worth discussing briefly here. By providing a centralized method for enforcing policy, managing encryption controls, and auditing and reporting, a single encryption management solution should be able to provide both a more complete view of organizational risk reduction and less workload in managing encryption. One central set of management tools provides the best way to ensure that no areas are left unmanaged, and therefore vulnerable, and that auditors and compliance offers have a greater degree of confidence that policy is being enforced wherever sensitive data resides. This is especially important in the event of a breach covered under regulations such as the US HIPAA/HITECH acts, which mandate what can be expensive breach disclosure requirements if the breached organization is unable to prove that the information was encrypted. Remote Key Deletion In the event that an end user loses a storage device, it is certainly desirable to ensure that the device is not amenable to attack. A couple of options have already been discussed under the section on key recovery namely to allow a limited number of tries to enter the key, after which either a cool-down period is enforced or the key is actually deleted entirely, rendering the information unreadable. While this latter option does provide better protection, it can also cause legitimate users to be unable to access their information. Ideally, the encryption management solution should allow for subsequent recovery even if the key is deleted. So if the device is recovered (or the user brings it in to the corporate environment,) the information on it can be unencrypted using the escrowed, centrally-stored key. Reporting and auditing Reporting is an essential element of any security solution the removable media encryption management solution should provide reporting capabilities sufficient to meet the requirements of your compliance officers and auditors. Such reporting should be able to provide at-a-glance information on devices encrypted and user activity (such as electing to not encrypt certain devices if that is permissible.) Furthermore, this reporting should be included in the broader encryption management reporting, in order 2010 CREDANT Technologies, Inc. All rights reserved. PAGE 8 of 9 For more information contact

9 to present auditors and senior stakeholders with as comprehensive a view as possible of organizationwide risk with respect to critical data. Conclusion With the ever-expanding mobility of the enterprise, data threats are introduced anywhere from the home office to the cyber café, causing exposure of highly sensitive corporate data. The demand for a highly mobile workplace is only going to increase, so implementation of removable media encryption is a must. As your corporation becomes more and more mobile, implementing removable media encryption, and following best practices in doing so, is becoming imperative in keeping your enterprise clear of potential data breach. For more information on how CREDANT Technologies can help you formulate and enforce policies to protect information on removable media, please visit our website at CREDANT Technologies Dallas Parkway, Suite 1420, Addison, Texas USA UK & EMEA, 88 Kingsway, London, WC2B 6AA, United Kingdom US: 866-CREDANT ( ) or UK: phone +44 (0) fax +44 (0) For more information: info@credant.com 2010 CREDANT Technologies, Inc. All rights reserved. CREDANT Technologies, CREDANT, We Protect What Matters, Intelligent Encryption, and the CREDANT logo are, or will be, registered trademarks of CREDANT Technologies, Inc. All other trademarks, service marks, and/or product names are the property of their respective owners. Product information is subject to change without notice.