Removable storage devices offer a big convenience for easy transfer of data from one computer to another – but they also bring with them a big security risk. The ability to copy gigabytes of company information to a tiny card or drive also makes it easy for employees (or anyone else who can gain physical access to one of your networked systems) to deliberately steal critical data or inadvertently subject it to unauthorized exposure. That could lead to a very costly disaster if company secrets get into the hands of competitors or if sensitive data (such as clients’ personal information) is exposed in violation of regulatory stipulations.
Our focus is often on how to prevent hackers from getting at our data by accessing it remotely across the network. But it’s equally important to be aware of the risk that insiders will use old-fashioned “sneakernet” to misappropriate data, and take steps to ameliorate it. The good news is that there are ways to prevent copies of your data from walking out the door on a removable device.
Removable storage has been around pretty much since the advent of the personal computer; in fact, the first IBM portable computer, the 5100 (released in 1975) had only removable storage – a magnetic tape cartridge – and no fixed hard drive. Subsequent IBM PCs used removable eight inch floppy disks for storage. It wasn’t until 1983, with the IBM PC XT, that a hard disk became standard.
Today, of course, we have a plethora of options when it comes to removable storage, including optical media (CDs, DVDs and Blu-ray discs), USB “sticks” or thumb drives that fit on a keychain, and flash memory cards, including microSD cards that are only about half an inch in length and can be concealed almost anywhere. Some USB drives are disguised to look like other objects, such as keys, credit cards or lipsticks. Another big problem is that MP3 players, phones and tablets can be connected to a computer via a USB cable and can function as removable drives themselves.
It’s hardly feasible to prohibit employees, contractors and visitors from bringing their phones onto the company premises, and it would be impossible to search everyone for hidden memory cards and disguised thumb drives. Since controlling the removable devices isn’t practice, what you need is a technological solution, some sort of “roadblock” that will prevent your data from being transferred to these devices. The good news is that you can do exactly that with the right kind of endpoint security mechanism.
The problem is that some solutions are “all or nothing” blockades. You could always physically disable USB connectivity by filling the ports with some substance or removing the cables connecting the USB ports to the motherboard. You could block USB in the computers’ BIOS, or you could use Group Policy on Windows machines. Some of these solutions give you more flexibility than others, but chances are none of them completely meet your needs.
For instance, you might want to allow certain users to use USB storage, but only during a specified timeframe. You might want to block only certain classes of devices, or you might want to block file copy based on the file extension. You might even want to block a particular physical USB port or a particular device ID. And what about new computers that connect to the network? Are they protected automatically, before you get around to configuring them? Finally, once you have the fine-grained control over these devices that you want, it would be great if you could monitor the connected devices on a continuous basis, from a centralized location.
These are a few of the “must have” factors that you need to keep in mind when considering the best way to protect the data on your network from the risk posed by removable storage devices. Some “bonus” features would include the ability to force encryption on the removable devices that you do allow on your network and the capability to allow authorized employees to access the encrypted files even if they’re away from the office. Of course, when strong encryption comes into play, you also need to ensure that there is a recovery process in case the employee who encrypts important company data forgets the password or leaves the company.
With a good system for managing and blocking removable devices, you should be able to sleep a little more soundly at night, knowing that the convenience of removable storage won’t be used to conveniently steal your mission-critical information.