Securing and Monitoring portable USB based devices


This article attempts to see if bulk enterprise security policies can be applied to portable devices like USB pen drives, mp3 players, cellphones connecting through USB, CD/DVD media, Digital Cameras etc, if they can be managed from a central software application, and the features offered by such an application for Data Leakage Prevention.

Well, let us accept it. Portable devices like USB Storage drives are the hardest to manage in an enterprise. An employee can easily copy confidential information and take it home. Or a contractor can simply plug in the USB drive to a well intentioned employee’s PC and take information in the absence of the employee. Can these portable devices be monitored? Can the data leakage be prevented through them?

Yes. There are some software applications which give central management and data leakage protection for the most vulnerable part of the network – the USB drives.

Traditionally, companies have blocked all access to a USB drive in enterprise PC’s. That has never been an employee friendly policy. Even if an employee wants to make a presentation and wants to transfer a PPT, he needs to request the IT department – and that is what we call productivity hampering! Some solutions these days, allow selective access: They give access to only USB mouse/printers etc, and block access to USB pen drives. But again, it is the same story. Some companies used to physically verify if USB devices are being carried into a company, but since they are so small generally employees/guests need to volunteer information about them or they may not get noticed. And it is not a practical idea too because USB storage is available in the form of cellphones, MP3 players and even some watches come with built in USB drives – how would you block all these at the gate?

Well, these software applications described above for monitoring USB based devices can even extend network security policies to portable devices. Some of them integrate with Active Directory to enable easy creation of enterprise wide policies. These policies can be anything like blocking access to USB drives and portable devices to certain employees (like contract workers), limit certain devices to read-only (Like CD/DVD media), or let un-restricted access from certain PC’s (top management etc). In fact, a white list of corporate approved devices can be created and all other devices can be barred from connecting to the network port. Quite complex operation that, but if you are primarily dealing with Intellectual Property related businesses, it could come in handy.

You could monitor a variety of actions like connection/dis-connection of the USB based devices, when they connected, PC name, date, type of device connected, connection allowed/blocked, file type accessed, file name accessed, file read/write copy summary, whether the device connects locally, wirelessly, or from remote, popular files read from the servers etc. You could also selectively dis-allow certain devices like MP3 players, Digital Cameras to access the PC’s on your network and give read-only permissions to CDs and DVDs. Now, that’s a lot of options! So, you could view these information in the form of log reports or graphical charts.

In case if allowed data is being copied, you could set an instruction to encrypt the data with standards based AES 256 bit encryption. It is decrypted only if the employee types the password. So, even if the corporate USB drives are lost, sensitive data cannot be stolen. You could set a policy to automatically encrypt files being copied to USB storage media.

In case some policies need to be over-ridden, you could do it on a one time basis, but if you end up doing it all the time, maybe you need to rethink the policy structure! You could also run these applications in silent mode – just to monitor employee activity and reporting only to the top management if some un-wanted activity is reported, but not actually block any access or you could communicate to the employee by screen prompts that an activity is not allowed as per the company policies and they are violating the policy and hence the access is denied so that they would be more careful from the next time!

Some vendors also bundle virus/malicious software scanning and automatically block such USB drives from connecting to a computer (which could be most handy).

excITingIP.com

You could stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box mentioned as “Get email updates when new articles are published”




One thought on “Securing and Monitoring portable USB based devices

  1. Mike

    Thanks for this informative article. I thought it could be interesting to provide a list of such monitoring tools. I know this directory lists a few: http://www.activitymonitoringsoftware.com . Simply search for “usb” and you’ll find quite a few interesting products.

Comments are closed.