Prevent data leaks from portable devices
You’ve layered on security solutions as best you can, bound by the limits of budget and resources: firewalls, antivirus, intrusion detection systems, and authentication solutions. But what about locking down your USB ports?
Have you ever considered how easy it would be for one of your users to copy large amounts of sensitive data onto an iPod or USB drive?
A data leak prevention solution can prevent users from siphoning off crucial data, whether maliciously or accidentally, and it can also prevent malware from infecting your system from inside.
Microsoft Tries to Help
If you rely just on Windows to help you, the problem with device and port blocking is how much control you get. In Windows Server 2003 and Windows XP, you can’t assign permissions for USB and FireWire ports nor for Wi-Fi and Bluetooth adapters, and you can’t manage Wi-Fi, Bluetooth, USB, and FireWire devices via Group Policy.
True, you can disable ports or enable read-only access, but that’s about as granular as you’re going to get. In Windows Vista and Windows 7, you have the ability to block USB ports and enforce policies, but not everyone has the option to move to newer OSs.
You can find some great device control solutions that are part of a larger security suite or desktop management suite, including solutions from ControlGuard, ManageEngine, NextLabs, Novell, ScriptLogic, SkyRecon; Sophos, and Symantec. But what if you want something more lightweight, with a smaller footprint?
In our decidedly unscientific research, we found over a dozen device control solutions to get you started. (Table 1 shows product information.) These are solutions that we hope (but can’t promise) you could implement right away without needing a lot of additional training or product consultation.
How They Work
Many device control solutions install an agent on your user's machine. Typically, you can create policies that then are enabled on users’ machines to block or allow devices and port usage. You can usually create whitelists of approved devices and/or approved users, though with some solutions you can also use blacklists.
If the solution is one that integrates with Active Directory (AD), the agent queries AD when the user logs on and sets permissions to the different nodes accordingly. If the user is not a member of a group that allows access to a particular device or set of devices, then access is blocked.
Depending on how complicated your users’ needs are, you might need a solution with highly granular controls, for example, to allow a particular flash drive to be used but to block others, or to specify the types of files that users can access and copy. Some solutions offer the ability to monitor files being transferred to or from approved removable devices.
What to Look For
When you’re considering device control solutions, you’ll want ease of management and granularity in your lock-down control. Considering that a desktop can have eight USB ports, plus other types of ports, even a small organization could have thousands of ports to manage and control, so a central management interface that’s not visually complicated is useful. And given the complexity of most organizations and the need to comply with industry, federal, and state regulations, granularity of control is important. It’s not enough, these days, to simply restrict all devices or all ports.
Integration with AD and Group Policy Objects will be important to many organizations. Finally, as you dive deeper into solutions, you might want to consider how the agent (if there is one) is installed (whether automatically or manually), how the tool “groups” PCs (into Security Groups, OUs, other proprietary classifications), and the quality and variety of reporting tools.
Note that many if not most of these products require a back-end data store, such as Microsoft SQL Server. Also, many products offer unattended installation or the option to run in silent or stealth mode, so users don’t know they’re being actively restricted. Whether you want this option will depend on your organization.
It's a USB World
In an ideal world, you’d inventory all your sensitive data, get all those crucial files into network storage and off of individual PCs, and beef up your local storage access controls—and your users would never bring flash drives, iPods, and PDAs to work. But to ignore such devices is to risk data loss that could not only cause embarrassment, litigation, and financial loss to your organization, but could wreak havoc on people’s lives.