UEM: A Thumb’s Up to USB Security

Are USB flash drives passé? You might think so given that computing and storage are increasingly moving to the cloud. However, Lifewire’s Patrick Hyde writes:

“With the growth of cloud computing and storage, physical memory is less essential for transporting data. But while emails and Dropbox are great for sharing a few documents at a time, flash drives are a faster and more secure method of sharing large files. With USB 3.0 technology, the fastest USB flash drives can even compete with external hard disc drives (HDD) for speed, with the advantage of being far more portable.”

Patrick Hyde, “The 9 Best USB Flash Drives to Buy in 2017,” Lifewire, June 2, 2017 

It’s no secret that individuals can and do employ USB flash drives—also known as memory sticks, memory cards, flash sticks, thumb drives, key drives, pen drives, jump drives, and simply USB’s—to “transport potentially sensitive information beyond the control of the business and can violate regulatory compliance rules or otherwise place the business at risk.”  

So says analyst firm Enterprise Management Associates® (EMA™) in its report that you can download below titled “Unified Endpoint Management: Simplifying the Security and Support of PC and Mobile Devices.” The report also states:  

“Among the most essential practices for data loss prevention is providing users a secure method for data sharing and preventing data from being distributed through alternative avenues. Also, encryption should be applied to data when it is at rest in its hosting environment, in transit to an endpoint, and in use by an application.” 

Combat Data Loss with Unified Endpoint Management

The endpoint security capabilities found within Ivanti® UEM solutions include media protection, remote endpoint control, security diagnostics, flexible dashboards and reporting, and more—with app control and automated patch management.

Specifically concerning control of removable devices such as USB flash drives and DVDs/CDs, Ivanti technology offers capabilities that include:

Per-Device Permissions: Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels.

Device Whitelisting: Assigns permissions for authorized removable devices (e.g., USB flash drives) and media (e.g., DVDs/CDs) to individual users or user groups; use “audit mode” to set up / validate enforcement policies and then simply convert to “enforcement mode.”

Flexible Policy with Granular Control: Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.

Policy-based Encryption: Use central security policy to force encryption of all data being copied onto removable devices / media using FIPS 140-2 Level 2 validated cryptography module. Read / Write to Ivanti encrypted devices / media on PCs and Macs.

File Tracking / Shadowing: Patented bi-directional shadowing technology keeps a copy of all files read from and/or written to removable devices / media, or printed to local or network printers; can also track just file metadata (e.g., type, name, etc.).

File Type Filtering / Malware Protection: Restrict and manage file types moved to removable devices / media; combine with forced encryption for added protection. Prohibit download of executables from removable devices for added layer of malware protection.

Copy Limits: Restrict amount of data copied daily to removable devices / media on a per-user basis.

Offline Enforcement: Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (i.e., context-sensitive permissions).

In-Depth Reporting: Automatic logging of all network events related to your security policy provides visibility into policy compliance and violations via reports, email, and dashboard widgets.

Centralized Management / Administrators’ Roles: Centrally defines and manages access by user, user group, computer, and computer group to authorized removable devices / media on the network; once in ‘enforcement mode’ only explicitly authorized devices / media / users are allowed access by default.

Concluding with a Couple of Quotable Customer Quotes

“Physically, we will never be able to stop staff or visitors from plugging a USB device into their PC. However, we are now completely confident that should this happen, absolutely no corporate data will be allowed to be copied onto such a device.”

—Gary Collinson, System and Security Analyst, Watson Burton LLP  

“It’s not just what people take from the network that has to be monitored, these days it’s what they leave behind, too. The crossover between corporate and lifestyle computing means that employees seem to think it’s okay to bring their digital devices such as cameras and memory sticks into the workplace. You don’t want to find that someone has plugged in a device and left you with copyright images or MP3 files on your company server. The only way to control this is to monitor the network and block anything that’s not authorized.” 

—Martyn Croft, Head of Corporate Systems, The Salvation Army 

Take a few minutes to learn more about the tested, trusted UEM security capabilities that Ivanti offers.