Securing the Mobile Workforce

by Jon Fielding CISSP, Director, EMEA, IronKey

Don’t be fooled, just like a book; you can’t judge a USB device by its cover. So what should you judge it by?

You may think a USB device just transports data and you’d be almost right. There are those that transport data; there are those that transport data securely; and then there are those that transport data securely whilst also providing an array of additional features and functions. This article provides an overview of the areas to evaluate when looking to procure secure USB multi-function devices.

Q1. Who To Trust

Fundamentally the first decision to make is who to trust to provide an effective solution that protects your data. There are many companies that sell ‘secure’ USB multi-function devices however many are not security companies - where security is an add-on to their solutions. A security company, on the other hand, thinks security first and foremost and builds up from there. The question you need to ask yourself is which do you believe is in a position to protect your data the way it needs to be protected?

Q2. Management, Policy Enforcement, and Auditing

The ability to manage security, governance, and compliance gaps in a centralised way is critical to solving risk to the business. Expeditious risk identification assist security and operation’s teams can respond quickly, accurately and confidently if policies a broken. Reports must allow companies to take immediate action directly to perform tasks to resolve issues such as a lost or stolen device.

Q2. FIPS – what is it and why is it relevant

Federal Information Processing Standards (FIPS) is an independent third party endorsement with four levels of certification, “level 1” to “level 4”, with 1 being the lowest. However, while a useful tool in assessing the security of products, it is not a guarantee. You need to look not only at the level of certification gained, but also what it relates to. There have been instances recently where USB multi-function devices have had FIPS certification for one component within the device yet another part was found to be insecure. To be 100% certain every component of the device should have FIPS certification. After all a robust lock on your front door is worthless if the key is under the mat.

Q3. Malware Protection

Organisations have concentrated their malware prevention efforts on spam and web filtering so attacks are being launched through different channels. One prevalent example is the Conficker virus that has infected millions of PCs worldwide. Having first corrupted the ‘Autorun’ feature, it is commonly introduced when an infected device is plugged into a USB port, spreading the virus from within the heart of the enterprise. A correctly architected solution will mitigate against such an exploit by recognising and reacting to a corrupted auto run file, stopping the worm at source.

Q4. Spend A Little – Waste A Lot

Price is always a consideration however what may look like a cost-effective product today may deliver an expensive lesson tomorrow. For example, the Information Commissioner’s Office has been granted new powers to impose £500K penalties on organisations for serious data breaches. It has advised that its deliberations, when considering its punishment, will include whether all reasonable steps have been taken to prevent breaches occurring. Organisations need a solution that gives them the ability to manage and control their devices in the field, defining and enforcing policy; destroying those that go AWOL or are in the possession of someone who is no longer considered trustworthy; and providing auditable evidence for all these processes to satisfy the ICO.

Q5. Secure Today – Enable Tomorrow

You’re investing money in secure USB multi-function devices to transport data but these devices are also capable of serving as authentication tokens and can provide a platform for virtualisation – invaluable for remote workers especially as part of a disaster contingency plan.

Lost or stolen USB multi-function devices, containing everything from individuals private information to military secrets, have turned up practically everywhere — on the London Underground, in hire cars, at motorway services, at the side of the road, even in a bazaar in Afghanistan. Don’t add your data to the list.

For more information visit www.ironkey.com.