SUBSCRIBE
Get what you need to know about information technology solutions to improve your agency.
subscribe now »
| » comment |  del.icio.us |
 digg this |
|
 reddit |
|
 rss feeds |
|
| RELATED | MOST POPULAR |
|
Security Smarts
Agencies employ security information and event management systems to make sense of security alerts. Theft Tracker: LoJack for Laptops
Product Review: LoJack for Laptops helps users retrieve stolen computers or delete their sensitive contents. iPad in the Brief Case
The unforeseen adoption of iPads for use in the workplace even finds feds getting in on the act. Dynamic Network Defense
Top military brass set sights on forging a secure network so that warriors can have safe access to a common operating picture. Anti-Theft Measures
Anti-Theft Measures: Safeguard your computing devices with these theft-deterrent tools. Think Again
Product Review: The Lenovo X201 Tablet's high-speed processing, full-size keyboard and long battery life make on-the-go computing even easier. When Disaster Strikes
As WiMAX emerges, does it offer a COOP option for secure communications? The Many Faces of Cloud
DISA, NASA and other early adopters are cutting costs and improving IT services through the cloud. Rite of Passage
A look at three facilities illustrates that agencies have set a path for consolidation and networked storage to ensure quick and easy access to data even as federal data stores grow. Moving Past Telework Phobias
Are you really working when you're not in the office? Can you prove it? |
|
Secure in the Wild
Secure flash drives add management challenges, but their portability and simplicity win satisfied users.
Peace of mind figures heavily into return on investment when agencies deploy secure flash drives.
The Agriculture Department’s National IT Center has spent between $5,000 and $10,000 on flash drives, estimates Greg Schmitz, chief of the center’s security staff. But because the use of the drives is part of the disaster preparedness plan at NITC, “having the information readily available for our essential personnel to deploy immediately would justify the investment many times over,” says Schmitz.
The ability for quick recovery should disaster strike is critical for the data center — located in Kansas City, Mo. — which provides IT services to users in many agencies across government.
Photo: Dan Videtich
In an emergency, the fact that USB drives can make data “readily available for our essential personnel to deploy immediately would justify the investment many times over,” says NITC’s Greg Schmitz.
The Veterans Affairs Department’s Dale Bogle agrees that the devices provide some intangible ROI. At VA, he says, secure flash drives prevent breaches into the personal data of millions of veterans. “Reputation is important,” says Bogle, supervisory information security officer for the Veterans Integrated Service Network 8 in Bay Pines, Fla.
Delivering on the Possibilities
The portability, size and storage capacity of flash drives make them a popular technology. Those benefits also make them a serious security threat for government agencies, says Scott Crawford, managing research director for Enterprise Management Associates. Small drives are easy to steal — and easy to lose, he points out. Plus, their USB compatibility means they can download data off a computer or upload viruses.
But government mandates and maturing technology have led to encryption and smart management strategies that help strike a balance between convenience and secure data, says Mark Diodati, senior analyst for identity and privacy strategies with the Burton Group.
The tiny devices require an extra level of vigilance, acknowledges VA’s Bogle, who says he’s a fan of the drives even though they can add to the time he spends walking around at work. When he and his team do their weekly hospital rounds, they’re on the lookout, in part, for unauthorized drive use.
Since VA began using flash drives two years ago, Bogle says, the security team has conducted ongoing training on proper use and implemented extensive controls for managing the devices. But the extra work is worth it.
“The drives increase productivity and cut down on paperwork,” he says. “I use them myself and love them.”
4.29 out of 5 Points
The risk rating, on a scale of 1 to 5, that USB drives received in the latest Ponemon Institute federal survey on cybersecurity threats.
SOURCE: Survey results for 217 executive-level federal IT officials, November 2009
Options Aplenty
Much of the appeal comes from the flexibility the drives offer government employees. “Flash drives are portable, durable and easy to use,” says Bogle. “Folks want to use the technology at home and work.” There’s a lot of staff movement at VA, he says. For instance, he points to nurses who have replaced stacks of paperwork with flash drives and doctors working in different facilities who need to quickly transfer their patients’ data.
When using secure flash drives, “encryption is job No. 1 for these devices,” Crawford says.
Hardware encryption is the way to go, adds Diodati. “It enables you to not have to worry about the complexity of software encryption.”
VA uses hardware-encrypted drives because software-based encryption proved to be “susceptible to penetration and compromise,” says Bogle. “It stored a root kit in the directory of the drive, which could be exploited.”
Bogle also employs endpoint device access control to track each drive. His team set up policy-based rules. A drive that’s not FIPS-compliant or from one of VA’s approved vendors won’t work in department computers, he says. Bogle is satisfied with the FIPS 140-2 Level 2 compliance offered by the drives VA uses. (FIPS 140-2 Level 3 validation is also available for flash drives.)
The ID Card Connection
For additional security down the road, Bogle and Schmitz would like to see integration with federal Personal Identity Verification cards.
Diodati thinks that is a good match. PIV cards compliant with Homeland Security Presidential Directive-12 provide authentication already, says Diodati. “Once you open the smart card, the flash drive would be open. The user doesn’t have to reauthenticate all the time with both devices.” Because of PIV card use, he says, two-factor authentication might not be necessary.
The authorization policy at VA requires extensive justification and approval around each drive. “Because they’re encrypted and have patient-sensitive information, it’s not OK to just hand drives out,” says Bogle. That helps cut down on costs, too. The process includes Health Insurance Portability and Accountability Act (HIPAA) training.
Bogle says that the drives help VA comply with the Paperwork Reduction Act, and his staff can manage and audit the devices to conform to the National Institute of Standards and Technology Special Publication 800-53 on security and VA standards.
Limiting Use
In addition to making sure drives comply with federal security guidance, NITC also controls who can use them, Schmitz says. Certain center employees have continuity of operations procedures loaded onto the devices so they have the necessary data to handle a catastrophic event.
“It’s another means of providing data that is truly more instantaneous than having to log on to some system,” he says. “It’s much more portable and accessible this way.”
But only personnel who are essential to disaster recovery plans can use the drives, which employ Advanced Encryption Standard-256 encryption and password authentication. Schmitz’s biggest challenge has been getting staff to refresh their drives.
“The synchronization of data can be difficult,” he says, which is one reason he hopes that centralized management tools become more advanced.
In the last year and half, many makers — including Imation, IronKey and SanDisk — began to provide remote access through console tools to help with drive management.
Going Biometric?
To further increase security, Bogle envisions biometric capabilities down the road.
It’s an area that’s still evolving. Flash drive vendor IronKey doesn’t support biometric capability yet, and users don’t often request it, according to John Jefferies, vice president of marketing, but “it is certainly on our radar.”
SanDisk’s Doron Dreyer, director of worldwide sales, considers biometrics a niche market.
“Biometrics technology is problematic in ways of reliability and security,” he says, especially in extreme work environments. “In Iraq, for example, dust can get into the biosensor.”
With or without biometrics, flash drive security will be an ongoing focus at VA and other agencies as use increases and functionality matures. “We see a lot of possibilities,” says Bogle, “if you can secure the things.”
[ Related Articles ]
COMMENTS
From: Ron LaPedis, San Jose, CA
"An IT worker might use a flash drive containing an entire secured operating system or application instead of carrying a notebook or other mobile device.">> Yes indeed they will. The SPYRUS Secure Pocket Drive is the first encrypted flash drive licensed by Microsoft to carry a Windows Embedded Standard, a version of Windows XP designed specifically to be used on small footprint devices. Along with Microsoft Office and a Citrix XenApp client, you have your own personalized PC in your pocket, perfect for remote computing and disaster recovery.
Home | Contact Us | About Us | Subscribe | Meet The Editors | Privacy | Site Map | Terms and Conditions
Copyright ©2010 CDW LLC | 200 N. Milwaukee Avenue, Vernon Hills, IL 60061