CHECKLIST
Removable Media Encryption Checklist
INTRODUCTION
Removable media security is one of the most difficult and most important aspects of your data
security strategy. Every day employees are storing—with our without you knowing—sensitive information on an array of mobile devices such as USB flash drives, laptops, smartphones, etc. Without the ability to easily and effectively secure information on these devices, there is a significant
risk that sensitive data could be copied onto an external device, taken outside of the organization,
and subsequently lost – leaving you open to hefty fines, legally mandated data breach notification
requirements, and potentially significant brand damage. While removable media encryption may be
one of the most difficult challenges facing security teams today, there are strategies that can be
adopted to significantly reduce the risk the breach of sensitive information through these devices.
The following checklist will help you evaluate differing approaches and rank them based on your
own specific needs. It is broken down into six broad sections: Transparency to end-users, reliability
and security, integration and ease of management, policy flexibility, and key management, and each
will be further explained below. Using these as a guide, you should be able to more easily evaluate
which aspects are the most important to you and your organization, to help ensure a successful and
secure deployment.
TRANSPARENCY TO END-USERS
CAPABILITY
WHAT THIS MEANS
Does the user need to remember a key for every device they
use in the network?
Having to manually authenticate for each device every time a device is
used will cause additional workload and help desk tickets
Can the user transfer data
without having to manually
authenticate?
Users will want to quickly move data to and from a USB device, if they
need to authenticate every time they use it, this will slow them down and
introduce inefficiencies.
Does the user need to perform an
encryption sweep before the USB
drive can be used?
For large capacity devices (such as USB hard drives,) the need to encrypt
everything on it before use can cause significant delays
Does the encryption of data occur
without user interaction?
Minimizing user interaction is the best way to reduce business impact
while improving security
©2010 CREDANT Technologies, Inc. All rights reserved.
PAGE 1 OF 5
For more information contact www.credant.com
CHECKLIST
Removable Media Encryption Checklist
CAPABILITY
WHAT THIS MEANS
Can the user bring their own
devices and use those?
Many users will want to bring their own devices into the office – the ability
to encrypt them (or just the sensitive data on them) can be extremely valuable
RELIABILITY AND SECURITY
CAPABILITY
WHAT THIS MEANS
Does the solution support
standard encryption algorithms
such as AES and 3DES?
Strong encryption is important – and industry standard algorithms such as
AES, 3DES, Rijndael, and others are good benchmarks of security
Can the end user disable
encryption manually, against
policies?
Users will sometimes attempt to circumvent controls. You may need a
solution that prevents this, or at least warns you when they do.
Will removing the USB drive
during encryption cause data corruption or loss of the device?
An impatient user may simply pull a USB device from the computer during
encryption of data. When this happens, you must be confident that the
data, and the device, do not become corrupted.
Can you enforce cool-down
periods if the key is not entered
correctly?
In the event that a device is lost, you may want to enforce a cool-down
period between attempts to authenticate to the device, in order to deter
attackers – perhaps after 3 or 4 failed attempts
Can you enforce remote key
deletion if the key is not entered correctly?
As above – however for users with more sensitive data you may with to
cause the on-device key to be deleted.
©2010 CREDANT Technologies, Inc. All rights reserved.
PAGE 2 OF 5
For more information contact www.credant.com
CHECKLIST
Removable Media Encryption Checklist
INTEGRATION
CAPABILITY
WHAT THIS MEANS
What impact will this solution
have on your general IT processes – Systems Mgmt, Patch
Mgmt, etc.?
Any new security solution must be evaluated to ensure that it does not
break existing systems management processes in place. Does your removable media encryption solution have any unforeseen impact on these
processes?
What impact will the solution
have on existing security tools
and processes in place – User
authentication, forensics, etc.?
As above – how will the solution integrate with existing security processes
and tools? If you use Active Directory for authentication – can you apply
policies for removable media based on that?
Does the solution integrate with
your other encryption solutions?
Your organization almost certainly uses many types of encryption, for
desktop systems, laptops, phones, etc. Does the removable media solution integrate well with these? Can you create consolidated reports easily?
EASE OF MANAGEMENT
CAPABILITY
WHAT THIS MEANS
Can the solution be managed centrally and deployed
remotely?
Removable media security is the most distributed security you will deploy
– central management and deployment will help reduce your workload
dramatically.
Can the same solution manage
removable media encryption
across multiple platforms?
If you use multiple platforms in the enterprise, such as Windows and Mac,
can you use the same encryption solution for removable media on both?
Is reporting easy to use?
Simple reporting reduces compliance and audit workloads significantly,
and helps to demonstrate business impact to your senior stakeholders
Can users perform their own
key recovery?
Users forget keys – allowing them to perform their own key recovery will
reduce the impact on your central IT functions and services.
Can helpdesk staff provide onetime keys for recovery?
Occasionally helpdesk staff must assist a user with key recovery. Providing a one-time recovery key will help maintain security while expediting
user productivity.
©2010 CREDANT Technologies, Inc. All rights reserved.
PAGE 3 OF 5
For more information contact www.credant.com
CHECKLIST
Removable Media Encryption Checklist
CAPABILITY
WHAT THIS MEANS
Are keys centrally
escrowed?
Centrally storing keys for removable media helps to automatically authenticate users when they attach the device, and to recover information in the
event of key loss.
POLICY FLEXIBILITY
CAPABILITY
WHAT THIS MEANS
Can you enforce encryption for
all USB devices?
Enforcing encryption for all devices enables users to bring their own removable media into the office while still being kept secure.
Can you enable end-users to
select if encryption is to be
deployed?
For some users, you may wish to allow them to decide if they wish to
encrypt information on a removable media device. While not appropriate for all users, this approach may be important to some types of users,
administrators and partners.
Does the solution allow you the
flexibility to ‘white list’ certain
approved devices, while enforcing
protection on all other external
media devices?
Attempting to encrypt data on certain devices when they are attached,
such as some smartphones, can cause them to become corrupted. Providing a whitelist prevents this from happening while protecting data on other
devices.
Does the solution enable encrypted devices to be used on
non-corporate systems?
Moving data to and from non-corporate systems may be vital for some
users, especially if they are remote. You may want to either allow, or block,
information to be transferred from an encrypted device to a non-protected
system.
Can you prevent users from
copying information onto nonsecured systems?
As above. Preventing moving data to non-protected systems could be
especially important for some users with access to highly sensitive
information.
Can policies be enforced based
on user and role through Active
Directory?
Using a central identity store such as Active Directory can reduce the
workload of administering security, as well as help ensure complete coverage and auditability of controls.
CREDANT Technologies
15303 Dallas Parkway, Suite 1420, Addison, Texas 75001 USA
UK & EMEA, 88 Kingsway, London, WC2B 6AA, United Kingdom
US: 866-CREDANT (273-3268) or 972-458-5400
UK: phone +44 (0)20 7726 7440
fax +44 (0)20 7990 9101
For more information:
www.credant.com
info@credant.com
© 2010 CREDANT Technologies, Inc. All rights reserved. CREDANT Technologies, CREDANT, We Protect What Matters, Intelligent Encryption, and the CREDANT logo are, or will be, registered trademarks of CREDANT Technologies, Inc. All other trademarks, service marks, and/or product names are the property of their respective owners. Product information is subject to change without notice.
Download PDF
Similar pages