Tiny computing and storage devices have revolutionized the way people carry information as they can stow the equivalent of millions of pages of data. Yet this benefit is also detrimental to an organization’s data protection responsibilities as they offer hostile agents an easily concealable package for carting off sensitive or classified information. No organization can afford to leave sensitive data in an unprotected state on devices that can easily fall into the wrong hands.
Lost or stolen flash drives, containing everything from individuals private information to military secrets, have turned up practically everywhere — on the London Underground, in hire cars, at motorway services, at the side of the road, even in a bazaar in Afghanistan. These are not a few isolated incidents, as confirmed by an annual national independent study conducted by Ponemon Institute into “Trends in Insider Compliance with Data Security Policies’, in its most recent study (published June 2009) it discovered that 43% of respondents admit to having lost or had stolen a portable data-bearing device. Whether measured in terms of national security, legal costs and remediation for affected individuals, or in damage to the reputation of an organization from public disclosure, data breaches can have devastating consequences.
Managing these risks without nullifying the significant productivity and efficiency benefits of smart phones, personal digital assistants, USB sticks and other devices demands a delicate balancing act by the IT department. This article provides a framework of best practice to organizations grappling with this challenge.
1. At the minimum: Encrypt mobile data
Strong encryption provides the ultimate first defense against loss or theft. According to the National Institute of Standards and Technology, it would take approximately 149 trillion years to crack a 128-bit Advanced Encryption Standard key.
However, it is only as strong as its weakest link — ultimately each user’s password. The Ponemon Institute studies found that 47% of respondents shared passwords with co-workers, and 57% believed they were not the only ones in the organization. A number of readily available password-guessing software and hardware tools let hackers decode a user’s password by hammering away at a device with millions of guesses per second. Encryption solutions that store passwords and encryption keys in hardware can prevent such brute-force attacks and can also protect against cold-boot attacks (where hackers gain access to the encryption keys from RAM memory as keys remain in memory for a time after the device has been powered down).
Users themselves also represent a threat to even the best encryption schemes either intentionally as a malicious insider, or accidentally by writing down passwords and carrying the list with them. Some data on a smart phone is available without a password. For these reasons, encryption alone is not enough; organizations should use encryption within the framework of a centrally managed security strategy, including the ability to remotely disable or deny access to compromised devices, or wipe them clean.
2. The central issue: Manage mobile devices centrally
With an estimated 300 million USB drives in use worldwide, there are so many devices in the hands of users on any given day that many organizations remain unaware of how many connect to their networks, or from where. With little control and even less knowledge of how devices are used or their security posture, these legions of mobile device users represent a significant security risk.
Some organizations have already taken steps to centrally manage end-point data protection for their desktop and notebook PCs. The next logical step is to use the same approach to rein in mobile devices. This means going beyond standalone encryption to implement capabilities for tracking usage and enforcing security policies remotely, including the ability to lock a mobile device after a number of incorrect attempts to guess a password or destroy data if a user reports a device lost or stolen.
By deploying devices within an enterprise management framework, organizations can also implement security policies that define acceptable use, such as remote access, authentication, device storage and encryption.
3. Pulling the plug: Control ports
Besides managing devices, organizations should also consider controlling ports to which they connect. Gluing USB ports shut, or otherwise disabling them, denies employees the productivity benefits gained by using mobile USB devices. This approach is also not viable as increasingly these ports are necessary for key peripheral devices, including keyboards, mice and printers.
As employees need access to these ports to do their jobs, IT security professionals should employ more flexible approaches, such as whitelists that let only authorized devices connect. These can be as granular as specifying individual device serial numbers. By combining port control with strong, hardware-based encryption and centralized management, agencies can virtually dial back the risk of data loss and data leakage via mobile devices.
4. Remote control: Establish secure remote access
IT administrators must define policies for remote access, including acceptable network connection methods and authentication policies that define who receives what type of access and to what data. Policies or technologies designed to protect the data on mobile devices are of little use if employees find ways to circumvent them.
Remote devices often become part of the solution by incorporating some form of two-factor authentication. Digital certificates tokens and secure, one-time password generators, such as RSA SecurID and CryptoCARD, extend secure authentication beyond passwords. Eliminating the need for a physical token or other additional device, having two-factor authentication built into an encrypted USB flash drive, can improve security as the user cannot access credentials until after securely logging onto the device. This approach also reduces costs while streamlining both administration and the end-user experience.
5. Known variables: Educate employees about risk
Employee compliance with security policy is frequently the weakest link in the security chain. Studies by the Ponemon Institute have found that when faced with getting their job done or following data security policies, 95 percent of employees choose the former. Unless employees fully understand the magnitude of the threat, and therefore the importance of reducing these risks, they will view security policies simply as barriers to productivity. Education should focus on the risk the policy mitigates against and demonstrate how appropriate controls protect the employee. Training programs should also be augmented with regular communication on new threats, vulnerabilities, policies and individual accountability.
By following this framework, organizations can protect themselves from the risk of data loss and leakage, enabling flexibility and mobility — and ensuring continuity of operations.