Issues to Consider when Choosing a Secure USB Flash Drive Solution Brian Compton College of Technology – University of Houston Issues to Consider when Choosing a Secure USB Flash Drive Solution Brian Compton College of Technology – University of Houston Problem Statement USB flash drives are cheap, small and abundant. Employees make use of these devices whether or not their employer is aware of the drive. If a company does not address the proper selection and integration of these devices into their security program, the growing use of small USB flash drives continue to be a security concern. Problem Statement USB flash drives are cheap, small and abundant. Employees make use of these devices whether or not their employer is aware of the drive. If a company does not address the proper selection and integration of these devices into their security program, the growing use of small USB flash drives continue to be a security concern. The Flash Drives are Here, Ready or Not There is no debate concerning the convenience and usefulness of USB flash drives. Sales statistics further prove the popularity of the devices. In 2008, USB flash drives are expected to sell 200 million units world-wide, with an average capacity of 1.5 gigabytes 1. Organizations need to take a stance concerning the use of flash drives in the workplace. It is important to remember that security needs to be flexible enough to accommodate new technology while maintaining protection and control of the company’s security 2. Simply ignoring the devices will not make them go away. Companies need to analyze these devices and decide if they can be useful for their particular technology needs. Organizations may often overlook the potential usefulness of secured flash drives. They offer more abilities other than just transporting and storing files. The Flash Drives are Here, Ready or Not There is no debate concerning the convenience and usefulness of USB flash drives. Sales statistics further prove the popularity of the devices. In 2008, USB flash drives are expected to sell 200 million units world-wide, with an average capacity of 1.5 gigabytes 1. Organizations need to take a stance concerning the use of flash drives in the workplace. It is important to remember that security needs to be flexible enough to accommodate new technology while maintaining protection and control of the company’s security 2. Simply ignoring the devices will not make them go away. Companies need to analyze these devices and decide if they can be useful for their particular technology needs. Organizations may often overlook the potential usefulness of secured flash drives. They offer more abilities other than just transporting and storing files. Conclusion Employees will continue to use USB flash drives in the workplace, whether or not their employer has an established policy governing their use. Due to the popularity of these items, it is in the best interest of organizations to address the proper use of these devices. Companies need to analyze the potential benefits of USB flash drive usage and decide if these benefits can be realized without degrading the company's security program. By researching the numerous factors surrounding the secure use of flash drives, organizations can make a sound decision regarding the appropriate flash drive and software combination to utilize. By using a set of guidelines to help in this decision, companies can make successful use of these ubiquitous devices. Conclusion Employees will continue to use USB flash drives in the workplace, whether or not their employer has an established policy governing their use. Due to the popularity of these items, it is in the best interest of organizations to address the proper use of these devices. Companies need to analyze the potential benefits of USB flash drive usage and decide if these benefits can be realized without degrading the company's security program. By researching the numerous factors surrounding the secure use of flash drives, organizations can make a sound decision regarding the appropriate flash drive and software combination to utilize. By using a set of guidelines to help in this decision, companies can make successful use of these ubiquitous devices. References 1.Chance, R. (2005). Understanding USB flash drives as portable infrastructure. 2.Christiansen, S. (Sep. 2, 2008). IT Security Strategy: Thinking Inside and Outside the Glass Box. Baseline. 3.O’Brian, B., Ericson, R., and Mearian, L. (Mar. 3, 2008). Review: 7 Secure USB Drives. Computerworld. 4.Senforce Technologies. (Jul. 2005). Best practices for managing and enforcing USB security. Headlines Another lost usb drive contains student information. Tax website shut down as memory stick with secret personal data of 12million is found in a car park. 12million-pub-car-park.html You are the weakest link. West Midlands Police Scrambles To Find Lost Memory Stick Containing Terror Suspects Data containing-terror-data/ References 1.Chance, R. (2005). Understanding USB flash drives as portable infrastructure. 2.Christiansen, S. (Sep. 2, 2008). IT Security Strategy: Thinking Inside and Outside the Glass Box. Baseline. 3.O’Brian, B., Ericson, R., and Mearian, L. (Mar. 3, 2008). Review: 7 Secure USB Drives. Computerworld. 4.Senforce Technologies. (Jul. 2005). Best practices for managing and enforcing USB security. Headlines Another lost usb drive contains student information. Tax website shut down as memory stick with secret personal data of 12million is found in a car park. 12million-pub-car-park.html You are the weakest link. West Midlands Police Scrambles To Find Lost Memory Stick Containing Terror Suspects Data containing-terror-data/ Issues to Consider when Choosing the Appropriate Secured Flash Drive Solution Organizations should not arbitrarily choose which flash drive or security software without taking into consideration many factors. This guide serves as a tool that can be used to help an organization make the right decision concerning the usage and implementation of secure USB flash drives. 1.Choose a hardware / software solution that uses AES encryption. The use government uses both 128 and 256 bit AES encryption. AES has not be cracked and can withstand attacks. 2.Consider platform compatibility. Some USB drives are compatible with Windows only. Consider what platforms are used within the organization and ensure the chosen device is compatible. 3.Look at bundled vs. third party software. Many drives come bundled with encryption software, however, this may not suit the company’s particular needs. Both the included software and available third party security software must be reviewed. 4.Authentication method. There are some drive models that use fingerprint authentication instead of passwords. These are more costly than other secure models, so the cost/benefit details need to be considered. 5.Review all possible uses for the flash drives. These devices can be used for more than just file transfer and transportation. A company needs to consider the numerous possible uses of the drive when considering the cost / benefit. 6.Do not just by cost alone. An organization should look at the desired outcomes for flash drive use and what will be the acceptable cost for achieving that outcome. 7.Enterprise integration. An organization must consider the overall impact on their security stance by choosing a secure flash drive solution. The decision must look at not just the device itself, but also how these devices and their various authentication methods will be handled company-wide. 8.Reputable supplier. Some flash drive models have been shipped with malware present on the device. An organization must ensure they are working with a reputable supplier. Check their credentials. 9.Do we really need them? If an organization comes to the conclusion that the cost / benefit of using secure flash drives does not make sense, then the company needs to take steps to prevent the use of USB flash drives. USB ports can be disabled on individual computers or third party software can assist in policing the use of USB ports. List is derived from all references. Issues to Consider when Choosing the Appropriate Secured Flash Drive Solution Organizations should not arbitrarily choose which flash drive or security software without taking into consideration many factors. This guide serves as a tool that can be used to help an organization make the right decision concerning the usage and implementation of secure USB flash drives. 1.Choose a hardware / software solution that uses AES encryption. The use government uses both 128 and 256 bit AES encryption. AES has not be cracked and can withstand attacks. 2.Consider platform compatibility. Some USB drives are compatible with Windows only. Consider what platforms are used within the organization and ensure the chosen device is compatible. 3.Look at bundled vs. third party software. Many drives come bundled with encryption software, however, this may not suit the company’s particular needs. Both the included software and available third party security software must be reviewed. 4.Authentication method. There are some drive models that use fingerprint authentication instead of passwords. These are more costly than other secure models, so the cost/benefit details need to be considered. 5.Review all possible uses for the flash drives. These devices can be used for more than just file transfer and transportation. A company needs to consider the numerous possible uses of the drive when considering the cost / benefit. 6.Do not just by cost alone. An organization should look at the desired outcomes for flash drive use and what will be the acceptable cost for achieving that outcome. 7.Enterprise integration. An organization must consider the overall impact on their security stance by choosing a secure flash drive solution. The decision must look at not just the device itself, but also how these devices and their various authentication methods will be handled company-wide. 8.Reputable supplier. Some flash drive models have been shipped with malware present on the device. An organization must ensure they are working with a reputable supplier. Check their credentials. 9.Do we really need them? If an organization comes to the conclusion that the cost / benefit of using secure flash drives does not make sense, then the company needs to take steps to prevent the use of USB flash drives. USB ports can be disabled on individual computers or third party software can assist in policing the use of USB ports. List is derived from all references. Why is this an issue? Even though flash drives are small, their storage capacities are large. Models with a two gigabyte storage capacity are cheap and common while some flash drive capacities go all the way up to 32 gigabytes. They are easy to use: just plug one into a USB port and drag-and- drop any number of files onto the device. Most flash drives do not encrypt data by default. All of these characteristics combine to form an extremely useful but potentially damaging device. Users can easily take gigabytes of sensitive data off of the corporate network and out of company premises. Once outside the confines of the business, unprotected USB flash drives can be easily lost or stolen. Companies that choose not to address these devices do so at their own peril. News headlines illustrate just how much data can be lost or stolen via these convenient devices. Why is this an issue? Even though flash drives are small, their storage capacities are large. Models with a two gigabyte storage capacity are cheap and common while some flash drive capacities go all the way up to 32 gigabytes. They are easy to use: just plug one into a USB port and drag-and- drop any number of files onto the device. Most flash drives do not encrypt data by default. All of these characteristics combine to form an extremely useful but potentially damaging device. Users can easily take gigabytes of sensitive data off of the corporate network and out of company premises. Once outside the confines of the business, unprotected USB flash drives can be easily lost or stolen. Companies that choose not to address these devices do so at their own peril. News headlines illustrate just how much data can be lost or stolen via these convenient devices. Table 1: Business applicable benefits of secure USB flash drives 1 User authentication Flash drives can contain token keys for use in a PKI infrastructure, enabling a two factor authentication scheme utilizing hardware and password File security Digital certificates can be safely stored on a secure flash drive, protecting them from computer failures and thefts Data storage/backup/archiveWith large storage capacities, entire databases can be encrypted and safely stored Portable softwareSoftware applications can be launched from the drive, even entire operating systems Copyright protectionFlash drives can be used in software licensing schemes, serving to protect software rights Flash Drives in the News Secondary school loses identifying student information for thousands of students. British government has to shut down a major tax service related website due to security breach caused by lost drive. Consulting firm misplaces a flash drive containing the identifying information about 84,000 prisoners. Memory stick containing details about suspected terrorists and terrorist cells is lost by police. Flash Drives in the News Secondary school loses identifying student information for thousands of students. British government has to shut down a major tax service related website due to security breach caused by lost drive. Consulting firm misplaces a flash drive containing the identifying information about 84,000 prisoners. Memory stick containing details about suspected terrorists and terrorist cells is lost by police. People Find reputable supplier. Are flash drives really needed? Technology Choose AES encryption. Platform compatibility. Bundled vs. third party software. Authentication method. Review all possible uses for drives. Processes Authentication method. Review all possible uses for drives. Do not judge by cost alone. Enterprise integration. Figure 1. This figure divides the issues concerning the selection of secure flash drive technology amongst the three security vulnerabilities: people, process, technology.