Tuesday, March 28, 2017

Big Problems, Small Packages (part 1)

    We're constantly hearing about data breaches in the news.  Many are due to external attacks as happened to Yahoo! or OPM.  Many others are caused by well-meaning staff or contractors who carry with them on laptops that then get lost or stolen.

   USB flash drives, often called thumb drives because they're about the size of your thumb, first hit the market in around 2000.  They had relatively little storage space and weren't cheap, but quickly became a security issue both for the potential to carry and load malware as well as taking data out of the office.  I remember discussions about this issue back in the early 2000s and some organizations were even thinking about using hot glue guns to fill in and block the USB ports on computers!  That would have been a mess!

   Before long the prices came down, the storage space went up and the problems multiplied.  Many organizations were not ready for how quickly these drives got integrated into every day work.

   Today we're going to focus on data that is copied on to USB flash drives and taken out of the office.

   The highest capacity USB flash drives we can find today are around 1 TB, though there are plans for 2 TB drives coming on the market before long.  Drives over 512 GB or larger are still pretty expensive.  But we know that prices of the high capacity drives will drop as new larger drives come out.

   To give you an idea of that size... 1 TB is about the size of 1500 CD-ROMs or 143,000,000 Word documents!  That's a lot of data potentially leaving your organization.

   So how do you combat this at your organization?  You don't!  We're not dealing with an adversary who's efforts need to be defeated.  These are well-meaning staff trying to get work done.  Always assume positive intent.

   That said, here are some key considerations:

   First, is there a business need?  This is critical.  If there is not a business need to copy information onto a USB flash drive, then it should not be allowed.  Here are some questions to ask:
   Is there a need?
   What is the need and who has this need?
   Is there more than one way to accommodate this need?
   Is remote access available and will this meet the need?  If not, why not?
   Is there an enterprise file-sharing mechanism that will help?

   Next... Minimum Necessary.  It's not just for HIPAA!  It simply means, is the least amount of data or information that is really needed, being used.  It's important to ask.  It's not about cutting or restricting access or data.  It's about meeting the business need, providing everything that is absolutely needed... no more and no less.  Here are some questions to ask:
   Is the entire customer/vendor/patient list needed?  Can a subset be used?
   Is every data field needed?
   Is the full set of documents needed or just a few for editing?
   Would a small representative sample of the information suffice?
   Can de-identified or redacted data be used?

   The third consideration is encryption.  Encryption is often not a solution in itself but it can be part of a solution.  Many regulatory requirements specify encryption and provide a "safe harbor" for lost data if it is encrypted.  Some questions to ask:
   Can the information be encrypted?
   Is encryption software readily available or are drives with encryption being used?
   Can the drive be decrypted on any machine or only company machines?
   Are there any proprietary systems or data formats involved that can't use encryption?

   Finally, consider control... that means control of the data and control of the device.  With USB flash drives that can be tricky because this really means keeping the drive with you or keeping it in a secured known location.  USB flash drives are just far too easy to lose or have stolen.  Questions to ask:
   From where is access to the information needed?
   Will the drive be brought on travel?
   Is it intended for use by anyone else?  If so, is there a contractual agreement covering the information on the drive?

   I'll get more into solutions in part 2, but at a high level there are basically three ways we can approach this:

  1. Administrative - this means policy and training.  Essentially you can define in policy under what circumstances use of these drives is allowed or not allowed, and train people so they understand.
  2. Group Policy (GPO) - this is is a Microsoft-centric solution.  Through the use of group policy, you can control all or a set of workstations to either allow or disallow the use of USB flash drives.  Or you can allow only certain users or certain drives.
  3. Data Loss Protection (DLP) - these are commercial tools that can not only allow or deny the use of drives, these tools can detect data types and further control what data can be written to the drive.
   Next time we'll talk about data coming in to the organization on thumb drives.

   How do you handle data on thumb drives at your organization?

No comments:

Post a Comment