For such a small device, the plastic, handheld USB flash drive can cause big security headaches. Even if you have robust end-point security and establish rigid policies about employee use of these drives, employees still find a way to copy financial reports and business plans for use at home. While other security breaches are more traceable, a flash drive is more difficult to monitor, especially after the employee leaves work.
Some security professionals suggest a radical approach to locking down USB flash drives. Sean Greene, a security consultant at Evidence Solutions, advises his clients to use a clear silicone caulk and fill every USB port on every PC to prevent USB attachments. He says the only way employees can transmit sensitive business documents is by email, a method that his clients can easily monitor.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
Chris Harget, a spokesperson for security vendor ActivIdentity, adds that many military organizations don't allow the drives at all, and they have resorted to gluing USB ports closed to prevent breaches.
Yet, in the modern IT climate, CIOs know they have to provide the services employees need to do their jobs, and that can include using a USB drive. For example, in a sales organization, employees often need to load PowerPoint slides, which may contain company financials, onto a USB flash drive.
Some organizations have found ways to deter data breaches while still allowing employees to use the devices. A common theme is to have the data encrypted. "For low-cost drives that do not contain their own encryption engines, a strong software-based encryption solution is fine and can meet even the lower-end government certifications," says John Girard, a Gartner analyst. "The best practice is to never write data to external media that was not encrypted in the first place."
Here we profile four organizations that have taken slightly different approaches to dealing with thumb-drive security to match the organizations' specific needs and policies.
1. City of Columbus approach: Uses Intelligent ID software to categorize files, and then assign a level of encryption on the fly.
The City of Columbus is serious about thumb-drive security. "Because this external media could be easily lost or stolen, we are concerned about intellectual property theft and the loss of sensitive data, whether maliciously or accidentally," says the city government's CIO, Gary Cavin.
The city uses classification software from vendor Intelligent ID that does more than just encrypt data during file transfer. The software can be configured to encrypt data for a specific type of user or department, or even for specific file types, such as Microsoft Excel files.
Cavin says the city even marks files for encryption based on the data contained in the file. If the software finds a file with a Social Security number, the data is automatically encrypted. To read the files, an employee needs an encryption key. In some cases, they can transfer files in a rush to a flash drive, then request that IT send them the encryption key later to open the files.