Rarely does a day go by where we don’t hear about a computer containing confidential records turning up for sale second hand on eBay, a laptop being left in the back of a taxi or confidential data stored on memory stick or DVD-ROM going missing in the post. IT Pros are starting to acknowledge that sensitive data is just as likely to be exposed through employee absentmindedness as it is through deliberate network infiltration by nefarious third parties.
In this series of posts I’m going to cover several different technologies, included by default with Windows Vista, Windows 7, and Windows Server 2008, that you can use to protect your organization’s data.
In this first post I’m going to tackle the humble USB thumb drive. The big problem with USB thumb drives is how useful they are. If they weren’t so useful, people wouldn’t want to store so much data on them. If they weren’t so small, they wouldn’t be so easy to lose. I have a thumb drive that will holds more than 16 gigabytes of data. I’m sure that this figure will be dwarfed by the technologies coming out in the next few years. The more data a thumb drive can store, the less likely that its owner is to remove old data from it. Someone who uses a large thumb to transfer data from the office to home and back every day is less likely to delete old files than someone who has an older thumb drive with limited capacity. Which means if you lose it, the chances of someone finding something juicy are higher.
How easy is it to lose a thumb drive? Consider this: Between 2003 and 2008 the British Ministry of Defence (MOD) lost 121 classified USB sticks. Source - http://news.bbc.co.uk/1/hi/uk/7514281.stm. The people that work at the MOD are trained to think about information security. If they are carrying a classified USB stick, you can probably assume that they are taking care not to lose it. If employees of the MOD can lose 121 USB sticks, you can imagine what the employees of an average organization where they don’t live and breathe security are going to be like!
Because they are so useful, it is difficult to rid your organization of thumb drives. It says something about the resilience of these devices that the British MOD keeps using them after they had to report to Parliament that they lost 121 of them containing classified data. If the MOD can’t get rid of them in the face of such security problems, you probably don’t have much of a chance in your own organization.
So the solution is coexistence with encryption. Make it so that the data stored on these devices is always encrypted so that when people do eventually lose them (and they will), the data stored on them cannot be recovered by any Tom, Dick or Harry.
Windows 7 will allow you to use BitLocker with USB thumb drives (You can also do this Windows Vista Service Pack 1). The drawback of this approach is that BitLocker pretty much ties the encrypted thumb drive to one computer, so you won’t be able to use it to transfer data from work to home without having to use the BitLocker recovery tool each time you want to extract data! Not the world’s most elegant solution. BitLocker to Go makes this a little easier, but requires you to have Windows 7 at both ends. In most cases people's home computers are going to be running Windows XP or Vista.
What you can do is use Encrypting File System, a technology that hasn’t gotten a lot of press since the release of BitLocker, but one which is perfectly suited to removable USB devices. EFS is perfectly suited to removable USB because you can transfer encryption certificates between home and work computers. Once you’ve installed the encryption certificate at both places and set up encryption on the USB device, the files will only be able to be read on those computers where the encryption certificates are installed.
There are some things that you need to keep in mind when deploying USB thumb drives with EFS:
- You can only use EFS if the USB device is NTFS formatted.
- You should create an EFS encrypted folder on the USB device and set permissions so that that’s the only folder where data can be written.
- You have to come up with some way to get the EFS certificate onto the user’s home machine. This is easier to do if you use EFS with an Enterprise CA because in that case the EFS certificate is centrally issued.
Getting the EFS certificates onto user’s home machines is the catch with this technique. Although importing an EFS certificate onto a new computer is relatively simple, getting this done is the is going to be a stumbling block. Still, it is better to overcome this stumbling block than it is to have to deal with several gigabytes of data that has gone missing because a USB thumb drive was dropped from someone’s pocket.
You can take a further step in using device policies to ensure that only authorized USB devices that you’ve prepared can be plugged into your organization’s computers. Of course, you can use these policies to ban USB thumb drives entirely, which is one certain way to stop people filling them with sensitive data and then losing them.
The other option that allows people to transfer data with USB devices but minimizes the risk of it being intercepted if someone loses the media is to use Active Directory Rights Management Services. I’ll cover what your options are with this technology, included as a default role service for Windows Server 2008, in another post in this series