CHECKLIST Removable Media Encryption Checklist INTRODUCTION Removable media security is one of the most difficult and most important aspects of your data security strategy. Every day employees are storing—with our without you knowing—sensitive information on an array of mobile devices such as USB flash drives, laptops, smartphones, etc. Without the ability to easily and effectively secure information on these devices, there is a significant risk that sensitive data could be copied onto an external device, taken outside of the organization, and subsequently lost – leaving you open to hefty fines, legally mandated data breach notification requirements, and potentially significant brand damage. While removable media encryption may be one of the most difficult challenges facing security teams today, there are strategies that can be adopted to significantly reduce the risk the breach of sensitive information through these devices. The following checklist will help you evaluate differing approaches and rank them based on your own specific needs. It is broken down into six broad sections: Transparency to end-users, reliability and security, integration and ease of management, policy flexibility, and key management, and each will be further explained below. Using these as a guide, you should be able to more easily evaluate which aspects are the most important to you and your organization, to help ensure a successful and secure deployment. TRANSPARENCY TO END-USERS CAPABILITY WHAT THIS MEANS Does the user need to remember a key for every device they use in the network? Having to manually authenticate for each device every time a device is used will cause additional workload and help desk tickets Can the user transfer data without having to manually authenticate? Users will want to quickly move data to and from a USB device, if they need to authenticate every time they use it, this will slow them down and introduce inefficiencies. Does the user need to perform an encryption sweep before the USB drive can be used? For large capacity devices (such as USB hard drives,) the need to encrypt everything on it before use can cause significant delays Does the encryption of data occur without user interaction? Minimizing user interaction is the best way to reduce business impact while improving security ©2010 CREDANT Technologies, Inc. All rights reserved. PAGE 1 OF 5 For more information contact www.credant.com CHECKLIST Removable Media Encryption Checklist CAPABILITY WHAT THIS MEANS Can the user bring their own devices and use those? Many users will want to bring their own devices into the office – the ability to encrypt them (or just the sensitive data on them) can be extremely valuable RELIABILITY AND SECURITY CAPABILITY WHAT THIS MEANS Does the solution support standard encryption algorithms such as AES and 3DES? Strong encryption is important – and industry standard algorithms such as AES, 3DES, Rijndael, and others are good benchmarks of security Can the end user disable encryption manually, against policies? Users will sometimes attempt to circumvent controls. You may need a solution that prevents this, or at least warns you when they do. Will removing the USB drive during encryption cause data corruption or loss of the device? An impatient user may simply pull a USB device from the computer during encryption of data. When this happens, you must be confident that the data, and the device, do not become corrupted. Can you enforce cool-down periods if the key is not entered correctly? In the event that a device is lost, you may want to enforce a cool-down period between attempts to authenticate to the device, in order to deter attackers – perhaps after 3 or 4 failed attempts Can you enforce remote key deletion if the key is not entered correctly? As above – however for users with more sensitive data you may with to cause the on-device key to be deleted. ©2010 CREDANT Technologies, Inc. All rights reserved. PAGE 2 OF 5 For more information contact www.credant.com CHECKLIST Removable Media Encryption Checklist INTEGRATION CAPABILITY WHAT THIS MEANS What impact will this solution have on your general IT processes – Systems Mgmt, Patch Mgmt, etc.? Any new security solution must be evaluated to ensure that it does not break existing systems management processes in place. Does your removable media encryption solution have any unforeseen impact on these processes? What impact will the solution have on existing security tools and processes in place – User authentication, forensics, etc.? As above – how will the solution integrate with existing security processes and tools? If you use Active Directory for authentication – can you apply policies for removable media based on that? Does the solution integrate with your other encryption solutions? Your organization almost certainly uses many types of encryption, for desktop systems, laptops, phones, etc. Does the removable media solution integrate well with these? Can you create consolidated reports easily? EASE OF MANAGEMENT CAPABILITY WHAT THIS MEANS Can the solution be managed centrally and deployed remotely? Removable media security is the most distributed security you will deploy – central management and deployment will help reduce your workload dramatically. Can the same solution manage removable media encryption across multiple platforms? If you use multiple platforms in the enterprise, such as Windows and Mac, can you use the same encryption solution for removable media on both? Is reporting easy to use? Simple reporting reduces compliance and audit workloads significantly, and helps to demonstrate business impact to your senior stakeholders Can users perform their own key recovery? Users forget keys – allowing them to perform their own key recovery will reduce the impact on your central IT functions and services. Can helpdesk staff provide onetime keys for recovery? Occasionally helpdesk staff must assist a user with key recovery. Providing a one-time recovery key will help maintain security while expediting user productivity. ©2010 CREDANT Technologies, Inc. All rights reserved. PAGE 3 OF 5 For more information contact www.credant.com CHECKLIST Removable Media Encryption Checklist CAPABILITY WHAT THIS MEANS Are keys centrally escrowed? Centrally storing keys for removable media helps to automatically authenticate users when they attach the device, and to recover information in the event of key loss. POLICY FLEXIBILITY CAPABILITY WHAT THIS MEANS Can you enforce encryption for all USB devices? Enforcing encryption for all devices enables users to bring their own removable media into the office while still being kept secure. Can you enable end-users to select if encryption is to be deployed? For some users, you may wish to allow them to decide if they wish to encrypt information on a removable media device. While not appropriate for all users, this approach may be important to some types of users, administrators and partners. Does the solution allow you the flexibility to ‘white list’ certain approved devices, while enforcing protection on all other external media devices? Attempting to encrypt data on certain devices when they are attached, such as some smartphones, can cause them to become corrupted. Providing a whitelist prevents this from happening while protecting data on other devices. Does the solution enable encrypted devices to be used on non-corporate systems? Moving data to and from non-corporate systems may be vital for some users, especially if they are remote. You may want to either allow, or block, information to be transferred from an encrypted device to a non-protected system. Can you prevent users from copying information onto nonsecured systems? As above. Preventing moving data to non-protected systems could be especially important for some users with access to highly sensitive information. Can policies be enforced based on user and role through Active Directory? Using a central identity store such as Active Directory can reduce the workload of administering security, as well as help ensure complete coverage and auditability of controls. CREDANT Technologies 15303 Dallas Parkway, Suite 1420, Addison, Texas 75001 USA UK & EMEA, 88 Kingsway, London, WC2B 6AA, United Kingdom US: 866-CREDANT (273-3268) or 972-458-5400 UK: phone +44 (0)20 7726 7440 fax +44 (0)20 7990 9101 For more information: www.credant.com email@example.com © 2010 CREDANT Technologies, Inc. All rights reserved. CREDANT Technologies, CREDANT, We Protect What Matters, Intelligent Encryption, and the CREDANT logo are, or will be, registered trademarks of CREDANT Technologies, Inc. All other trademarks, service marks, and/or product names are the property of their respective owners. Product information is subject to change without notice.