Corral Your Wandering Data
A big part of Kevin M. Roy’s job is to make sure data doesn’t grow legs. He’s read far too many horror stories about the ramifications of not locking down removable media. So his mission is to make sure files can’t walk out the door very easily.
USB drives make his job much tougher. The drives make it extremely easy to copy large amounts of sensitive data, to quickly infect a network with a virus or for data to fall into the wrong hands.
Most IT managers echo Roy’s concern, but because his company, Ophir Optics in North Andover, Mass., does proprietary subcontract work for the military, the stakes are higher than most. Ophir, which creates infrared lenses, such as night-vision-enhancement systems, joined the ever-growing list of businesses that place tight controls on their gateway security.
“It’s not something you can go without these days,” says Roy, who implemented the Lumension Endpoint Management and Security Suite three years ago. “The threat environment out there is pretty bad, and it’s getting worse weekly, if not daily.”
His advice to those thinking about USB security: “You’ve just got to dive in.”
When Ophir first implemented the system, the company went overboard and locked everything down, Roy says. If a USB device is plugged into a computer at Ophir, the machine can’t access the network, and only certain applications can run on the computer. The data on the USB device can also be encrypted so it can’t be accessed if the device is lost or stolen.
Naturally, there was some resistance from users at first, but the full-lockdown strategy proved to be a good way to start out, says Roy. Rather than securing the network piece by piece, Roy and his team blocked all removable media, then approved specific USB devices for the engineers who needed to use them.
Emphasis on Education
Mammoth Hospital, based in Mammoth Lakes, Calif., took the opposite approach. The hospital left the network open but told employees that the hospital’s policy (based on the federal Health Insurance Portability and Accountability Act) did not allow them to copy patient data onto portable devices.
SOURCE: Ponemon Institute
The IT team explained to employees that it had implemented DeviceLock data loss prevention software to monitor the network and ensure that employees comply with the policy. If a problem arises, IT can talk to the person involved, says Paul Fottler, the company’s systems administrator.
Fottler says education is a big part of USB security. Flash drives make life much easier for busy employees who need to quickly and easily transfer files so they can finish up a project at home or bring reports with them while traveling.
“We’ve explained that it’s just a matter of taking necessary precautions to keep an entire network secure,” says Eric Boulanger, network administrator at Lantic, a sugar refinery based in Montreal. “However, some employees are still resistant to USB port security.”
Roy acknowledges that the one problem he faced during the rollout at Ophir Optics could have been avoided fairly easily. He and his team told users about the system and explained how it worked; but in hindsight, a more formal rollout with greater detail about the system and how it would affect users would have gone a long way toward building acceptance. “People had heard we were doing this, and then they came in one day and it was locked down,” Roy says.
Top three security breaches specifically related to a USB device:
- A virus was introduced to the network through a USB device.
- Data was stolen from an employee’s USB device.
- An outsider used a USB device to steal data from the network.
SOURCE: CDW poll of 456 BizTech readers
Of course, any security application has some pushback from users, he adds, but people understand the threat and the need. “And we try to do it in a way that won’t hinder their workflow at all,” he explains.
Roy, who recently rolled out the new 4.4 Lumension system, initially imagined USB security to be a daunting, complicated process. But, he says, it’s centrally managed and has an easy, intuitive interface. As with most USB security tools, it integrates with Active Directory, so you can use groups that are already set up, or you can create new groups. Plus, Roy adds, it doesn’t leave a large footprint on the workstations, so there’s no real performance effect.
“Had we known what we know now, we would have done it sooner,” he says. These days, he adds, companies don’t have time to spare. “You can’t afford to wait.”
Boulanger agrees. “Do it, and do it fast,” he says.
If your management team is on the fence about the need for gateway security, he recommends leaving a USB key on a table in a cafeteria or other nonwork area. “I’d bet that someone will take it and plug it into a USB port to determine what is on it,” he says. “This test is a quick way to show how easy it is for any employee to plug any USB device into a PC, potentially exposing the entire network to viruses.”
USB Security Dos and Don’ts
- Don't lock out all devices from the network. Instead, restrict devices such as USB hard drives, USB keys and MP3 players, which are easily infected with malware.
- Do provide access to some users who need to use USB ports, but clarify how and when they are to be used. You may also consider restricting access to certain types of information, such as customer and employee data, financials, controls, production lists and forecasts.
- Don't implement a USB security system across the network on the first try. Start with a test group so there are fewer headaches if something goes wrong.
- Do encrypt sensitive data on computers and USB devices.
- Don't make USB security more cumbersome than it needs to be for end users. Think about classifying file folders on your servers with different levels of protection. For example, files with the highest level of protection can't be copied, moved or printed. But those with lower levels of protection aren't under such tight controls.