Removable media devices are here to stay. Their ease of use and low cost have made them ubiquitous in the work environment – but at what price? In this article they look at the pros and cons of removable media, and the steps IT managers can take to mitigate the security risks associated with them.
An IT manager’s insight into securing removable media
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This topics came up recently in my office; What are some options for encryption?
Yes, it is naive to expect staff to follow a ban on removable media. Howover, the answers have been with for decades (since the advent of floppy disks), and I’m sure the 160kbytes renumeration spreadsheet will cause plently of embarresment in the wrong hands. Size does not matter – content does.
Step 1.
Physically or logically disable writing to removable media. If your an IT manager and can’t do this (or cannot win the argument with the board/users to do this) then resign and find a vocation you are good at..
Step 2.
Carrot & stick. If some smart alek tries to get around your measures, hit them with the stick, and then stick the carrot up their a*se, and then very publically fire that a*se.
There – no need for an article was there?
hear hear! let me second that!
sometimes common sense should be at the top of the list of security philosophies.
since the advent of floppy disks, the advent of ftp, the advent of e-mail….
the only “solution” to this “problem” is to hire trustworthy employees.
another needless article on the “new horrors” of removable media. *sigh*
Don’t give your employees access to removable media.
Diskless thin clients, no USB or firewire ports for then majority of your employees.
The board, and a select few who actually needs removable media can have them. Then when setting up removeable media use an OS that will allow both local and remote logging of the times that they are used.
If someone wants to move data offsite its somewhat futile to stop them, theres always going to be some bright spark around that’ll devise a way to work around it. Also implementing such restrictions without somehow interfering with folks productiveness could be a challenge. I for one would be very pissed if I couldnt send emails with attachments home.
As a previous poster mentioned, hire honest folk.
(I havent rtfa (got a exam in 40min))
With an attitude like yours I’m sure you’re not managing anything, let alone a clue.
david: the only “solution” to this “problem” is to hire trustworthy employees.
I have a question. How do you tell who is trustworthy and who isn’t?
I suppose you could try to determine this from a person’s criminal record. But that isn’t actually very reliable, since they could still have done different things and not have been caught.
Roscoe: If someone wants to move data offsite its somewhat futile to stop them, theres always going to be some bright spark around that’ll devise a way to work around it.
Not nessacarily. If you have it all pretty throughly locked down, what are they going to do?
For example, no Internet access, no USB ports, no Firewire, no floppy drives, etc… So on and so forth. At some point they’ll have to open the case (or do something else drastic) and if you have an alarm attached to that, well you’ll catch them. And so on.
You can actually deal with it if you control the environment. The only two real problems are whether you can and are allowed to control the environment and the next thing you said, which was…
Roscoe: Also implementing such restrictions without somehow interfering with folks productiveness could be a challenge.
This is the true challenge. After a certain point, security measures can really start to hamper some people’s productivity.
Roscoe: I for one would be very pissed if I couldnt send emails with attachments home.
I wouldn’t be. As long as I felt the overall security measures were fairly good and I didn’t HAVE to email something to my myself, I wouldn’t be bothered at all, because I would understand why the security measures are there.
Roscoe: As a previous poster mentioned, hire honest folk.
Once again… How? How do you tell who is honest.
Duh, it’s not about honesty. Regular folks, be they as honest as they can get, just don’t think about security when they walk home with their data. It just doesn’t occur to them that their USB-stick can be stolen or misused. IT-people are IT-people precisely due to the fact that they do think about such things.
Your honest employees Mary and Mike have differently wired brains and they need to be told what they can and what they can’t do with technology because they just aren’t capable of seeing all the implications themselves.
You still need policies even with honest people.
I didn’t read the article. I didn’t feel the need to. My guess it’s the umpteenth article about the “dangerously untrustworthy employees”.
When you start to treat your own employees like the enemy that is trying to bring you down, you are building a self fulfilling prophecy. You’ll get resentment and when you go too far, you’ll get employees with a grudge.
So, what are we gonna do? Block access to the usb-ports?
Well, I could e-mail it with an attachment. So, let’s block attachments.
I’m going to paste it as text in the message body. We’ll abandon e-mail.
I’m going to print it and take it home in the briefcase. We’ll ban the printers and the briefcases!
I’m going to write it down and mail it via snailmail to myself. We’ll ban snailmail.
I’m going to write it down and take it home. We’ll ban the pen!
I’m going to memorize it and take it home. We’ll ban the monitors.
I’m going to ask someone for the information and take it home. We’ll fire you after we’ve beheaded you!
Like it’s said before in this thread. It’s about trust! When there is no trust, you don’t have loyal employees, but hired mercenaries that will turn on you upon receiving a higher bid. If that is your view on people, you shouldn’t be running a company, you should be in the hills with all other delusional survivalists.
r_a_trip: When you start to treat your own employees like the enemy that is trying to bring you down, you are building a self fulfilling prophecy. You’ll get resentment and when you go too far, you’ll get employees with a grudge.
I guess you must be an enemy of your country then, since there are laws, police, things you aren’t allowed access to, etc.
You are only building that self fulfilling prophecy if you start to keep people from doing their jobs or if you have a bunch of people who just have to do whatever the heck they feel like.
You can (frequently) implement a ton of security measures that will pretty well take care of the problem without causing problems for your employees.
To put it bluntly, if you don’t do anything problems will inevitably arise. Somebody will either do something stupid (like what aab was saying) or someone will do something intentionally and these people can cause large quantities of damage. (Of course, with some pieces of information it doesn’t really matter much. So I suppose it depends on what you’re dealing with too. If it’s today’s menu for some company cafeteria or something, who cares?)
For an example though… (A non-computer example. I haven’t worked too much since I’m primarily a student. So I wasn’t able to come up with a better real one at the moment.) For one of the important keys for where I worked once upon a time, there was a little device embedded in it that would set off an alarm should you try to walk out of the building with it. It was a good thing it was there too, because someone did try to walk off with it! (And we didn’t have a backup key, so it would have caused a number of complications for a little while.)
And you know what? None of us were bothered by the device in the key either. Why? Because it didn’t interfere with our jobs.
First of all, if an employee has access to some data and wants to leak the data by all means, then he’ll probably succeed, because everyone can carry data anywhere in his/her head. Thus, allow access only to that piece of data needed for one’s job. Hold the employees responsible for any data leaked.
On the other hand, chances to leak data accidentally should be minimized. For example, mark valuable data and allow only unmarked data to be attached to emails. Limit copy-and-paste ability for such data. Employees can still copy the data manually, but that won’t happen without a clear intention.
Of course this requires some skill to set it up in a way it doesn’t intefere with one’s job.
Please don’t try to secure everything that could present a security threat. I mean, in most situations who really needs a password on their memory stick? Or on their mobile phone? Moreover, everything that is considered secure probably has holes in it.
For companies, education of the employees should be the way: don’t copy sensitive information to dangerous places, or encrypt it if you really need to. Do you allow your employees to put company information on a public website?
I don’t care if someone finds the mp3 files on my stick. Sensitive information can/should be secured on an individual basis. Only use passwords when you need to, you will avoid that much frustration if you happen to loose one.
I often feel that regarding security, the needs of the few outweigh the comfort of the many.
If we are going with premise that you can’t tell the honest empoyee from the dishonest, then we must come up with a method to lock down the administrators as well. Clearly being an administrator doesn’t create some magical scenerio where you become inherently honest. In fact, I have found that a fairly high percentage of administrators are kindom builders, and are more than happy to take action that is detrimental to the company if it will make their job easier.
Security of data and it’s impact on the workflow of an organisation can be a double edged sword. On the one hand you can lock down everything and restrick access no end but then this will come at the expense of portability. If you are working in an environtment which requires publishing of data for proposals and the likes then you can not lock down your data to far or you will seriously impede your organisations ability to present that data. On the otherhand, file encription is a very sound way to go if you are afraid of storage devices being lost and information being placed in 3rd party hands.
At the end of the day though, security is a falicy because no matter how hard one trys to secure an environment (not just computing) others will work to overcome it. Just ask Microsoft or any Adobe or any other software company.