Secure in the Wild

Peace of mind figures heavily into return on investment when agencies deploy secure flash drives.

The Agriculture Department’s National IT Center has spent between $5,000 and $10,000 on flash drives, estimates Greg Schmitz, chief of the center’s security staff. But because the use of the drives is part of the disaster preparedness plan at NITC, “having the information readily available for our essential personnel to deploy immediately would justify the investment many times over,” says Schmitz.

The ability for quick recovery should disaster strike is critical for the data center — located in Kansas City, Mo. — which provides IT services to users in many agencies across government.

The Veterans Affairs Department’s Dale Bogle agrees that the devices provide some intangible ROI. At VA, he says, secure flash drives prevent breaches into the personal data of millions of veterans. “Reputation is important,” says Bogle, supervisory information security officer for the Veterans Integrated Service Network 8 in Bay Pines, Fla.

Delivering on the Possibilities

The portability, size and storage capacity of flash drives make them a popular technology. Those benefits also make them a serious security threat for government agencies, says Scott Crawford, managing research director for Enterprise Management Associates. Small drives are easy to steal — and easy to lose, he points out. Plus, their USB compatibility means they can download data off a computer or upload viruses.

But government mandates and maturing technology have led to encryption and smart management strategies that help strike a balance between convenience and secure data, says Mark Diodati, senior analyst for identity and privacy strategies with the Burton Group.

The tiny devices require an extra level of vigilance, acknowledges VA’s Bogle, who says he’s a fan of the drives even though they can add to the time he spends walking around at work. When he and his team do their weekly hospital rounds, they’re on the lookout, in part, for unauthorized drive use.

Since VA began using flash drives two years ago, Bogle says, the security team has conducted ongoing training on proper use and implemented extensive controls for managing the devices. But the extra work is worth it.

“The drives increase productivity and cut down on paperwork,” he says. “I use them myself and love them.”

4.29 out of 5 Points
The risk rating, on a scale of 1 to 5, that USB drives received in the latest Ponemon Institute federal survey on cybersecurity threats.

SOURCE: Survey results for 217 executive-level federal IT officials, November 2009

Options Aplenty

Much of the appeal comes from the flexibility the drives offer government employees. “Flash drives are portable, durable and easy to use,” says Bogle. “Folks want to use the technology at home and work.” There’s a lot of staff movement at VA, he says. For instance, he points to nurses who have replaced stacks of paperwork with flash drives and doctors working in different facilities who need to quickly transfer their patients’ data.

When using secure flash drives, “encryption is job No. 1 for these devices,” Crawford says.

Hardware encryption is the way to go, adds Diodati. “It enables you to not have to worry about the complexity of software encryption.”

VA uses hardware-encrypted drives because software-based encryption proved to be “susceptible to penetration and compromise,” says Bogle. “It stored a root kit in the directory of the drive, which could be exploited.”

Bogle also employs endpoint device access control to track each drive. His team set up policy-based rules. A drive that’s not FIPS-compliant or from one of VA’s approved vendors won’t work in department computers, he says. Bogle is satisfied with the FIPS 140-2 Level 2 compliance offered by the drives VA uses. (FIPS 140-2 Level 3 validation is also available for flash drives.)

The ID Card Connection

For additional security down the road, Bogle and Schmitz would like to see integration with federal Personal Identity Verification cards.

Diodati thinks that is a good match. PIV cards compliant with Homeland Security Presidential Directive-12 provide authentication already, says Diodati. “Once you open the smart card, the flash drive would be open. The user doesn’t have to reauthenticate all the time with both devices.” Because of PIV card use, he says, two-factor authentication might not be necessary.

The authorization policy at VA requires extensive justification and approval around each drive. “Because they’re encrypted and have patient-sensitive information, it’s not OK to just hand drives out,” says Bogle. That helps cut down on costs, too. The process includes Health Insurance Portability and Accountability Act (HIPAA) training.

Bogle says that the drives help VA comply with the Paperwork Reduction Act, and his staff can manage and audit the devices to conform to the National Institute of Standards and Technology Special Publication 800-53 on security and VA standards.

Limiting Use

In addition to making sure drives comply with federal security guidance, NITC also controls who can use them, Schmitz says. Certain center employees have continuity of operations procedures loaded onto the devices so they have the necessary data to handle a catastrophic event.

“It’s another means of providing data that is truly more instantaneous than having to log on to some system,” he says. “It’s much more portable and accessible this way.”

But only personnel who are essential to disaster recovery plans can use the drives, which employ Advanced Encryption Standard-256 encryption and password authentication. Schmitz’s biggest challenge has been getting staff to refresh their drives.

“The synchronization of data can be difficult,” he says, which is one reason he hopes that centralized management tools become more advanced.

In the last year and half, many makers — including Imation, IronKey and SanDisk — began to provide remote access through console tools to help with drive management.

Going Biometric?

To further increase security, Bogle envisions biometric capabilities down the road.

It’s an area that’s still evolving. Flash drive vendor IronKey doesn’t support biometric capability yet, and users don’t often request it, according to John Jefferies, vice president of marketing, but “it is certainly on our radar.”

SanDisk’s Doron Dreyer, director of worldwide sales, considers biometrics a niche market.

“Biometrics technology is problematic in ways of reliability and security,” he says, especially in extreme work environments. “In Iraq, for example, dust can get into the biosensor.”

With or without biometrics, flash drive security will be an ongoing focus at VA and other agencies as use increases and functionality matures. “We see a lot of possibilities,” says Bogle, “if you can secure the things.”