Some security professionals suggest a radical approach to locking down USB flash drives. Sean Greene, a security consultant at Evidence Solutions, advises his clients to use a clear silicone caulk and fill every USB port on every PC to prevent USB attachments. He says the only way employees can transmit sensitive business documents is by email, a method that his clients can easily monitor.
Chris Harget, a spokesperson for security vendor ActivIdentity, adds that many military organizations don’t allow the drives at all, and they have resorted to gluing USB ports closed to prevent breaches.
Yet, in the modern IT climate, CIOs know they have to provide the services employees need to do their jobs, and that can include using a USB drive. For example, in a sales organization, employees often need to load PowerPoint slides, which may contain company financials, onto a USB flash drive.
Some organizations have found ways to deter data breaches while still allowing employees to use the devices. A common theme is to have the data encrypted. “For low-cost drives that do not contain their own encryption engines, a strong software-based encryption solution is fine and can meet even the lower-end government certifications,” says John Girard, a Gartner analyst. “The best practice is to never write data to external media that was not encrypted in the first place.”
Here we profile four organizations that have taken slightly different approaches to dealing with thumb-drive security to match the organizations’ specific needs and policies.
1. City of Columbus Approach: Uses Intelligent ID software to categorize files, and then assign a level of encryption on the fly.
The City of Columbus is serious about thumb-drive security. “Because this external media could be easily lost or stolen, we are concerned about intellectual property theft and the loss of sensitive data, whether maliciously or accidentally,” says the city government’s CIO, Gary Cavin.