Storage media security - trust is good, control is better
In the first post in this series, we discussed the topic of application control - and we now want to supplement that with this blog post with a topic that is also underestimated: storage media control.
In companies, the handling of the connection of new storage media varies. The spectrum ranges from "no one is allowed to connect anything unless IT has allowed it" to "everything is allowed". The former is very safe. But for organizations that need to share large files with others, not using services like WeTransfer, Box, Dropbox, etc. is very time consuming. Not regulating the use of storage media at all is - to put it positively - extremely negligent. But as always in life, there is not only black and white, but also many shades in between - including intelligent solutions that take into account both the security aspect and productivity. Many users pay little or no attention to this potential gateway when transferring data from one storage medium to another device via a USB port.
When looking at a sensitive market such as healthcare , one realizes that data such as X-rays and other image material is often passed on from doctor to doctor by stick. This way, malware can quickly get onto a device and into the systems, for example through a so-called "Bad USB attack". In this case, a stick prepared with malware is placed in the company. The memory is thus found seemingly by chance and taken into the office. For many users, curiosity then outweighs caution and they look to see what is on this stick. Without appropriate interface control precautions, this puts the company at great risk. Incidentally, this also applies to prepared smartphones that make contact with the network via Bluetooth, for example.
- Can a company monitor or prevent these processes?
- Can a company enforce that only certain mobile data carriers are permitted?
- Can the IT department enforce that sensitive data is automatically encrypted when copied to the USB sticks?
- Can the company control data transfer via Bluetooth devices?
The answer to these questions should hardly surprise you: Yes, it can!
A modern device control solution checks external data carriers and also the data flow. This solution also prevents sensitive data from getting onto mobile storage media such as USB sticks or data media from being easily connected and read. It checks every single device connected via USB. If this is not permitted by company regulations, it is locked out. This prevents unauthorized media from being used. Of course, it is also possible to define explicit exceptions to this. This allows the admins to react quickly to user requests or projects. These temporary releases can be limited in time or can be provided with a certain expiration date. However, security does not have to be sacrificed at this point. Only the explicitly required interfaces are released and certain file types can be prevented from execution, such as EXE, BAT, or macros.
DriveLock's device control, for example, regulates which USB media are allowed on the network at all. Another rule might state that connecting USB devices is allowed, but users only have read permissions on that device.
DriveLock is able to control all mobile media and external devices. For this purpose, a wide variety of corporate policy variants can be imagined and set, e.g. from monitoring a company agreement or enforcing strict guidelines. The quick distribution of all settings based on policies makes the implementation of the device control solution very easy:
- Flexible control of all externally connected media including network shares or WebDAV-based drives: IT teams determine who can use which drives and when.
- Integrated data flow control through data type checking: IT teams define user groups and their permissions.
- Comprehensive audit of file operations: IT teams can track user behavior as needed (e.g., who copied which file to which media at what time).
- Integrated data flow control through data type auditing: IT teams determine who can copy which files to where.
In addition to policies for devices of all types, the IT team can set rules for all settings according to various criteria - from user groups to times of day to network location, there are wide-ranging configuration options.
In addition to full auditing of mobile device usage and logging of data flow, modern solutions like DriveLock also support auditing of shadow copy creation. Forced encryption of data written to external media is also possible. IT teams can even control the volume of data transferred between removable media and the endpoint device in the process.