Protecting USB Sticks

It is in my opinion a controversial discussion: Do you allow the use of USB sticks in a corporate environment and if yes, how? Obviously, today there are a lot of other means to exchange information but the USB stick still seems to be important for users. To have a presentation for an event on a stick, “just in case” is still often good practice. But some companies do not allow to use them anymore and block the USB ports. Others allow encrypted sticks only. Does this then lead to the users leveraging Dropbox (or any other provider) as an alternate path to solve their problems?

Whatever view you have on this challenge, there is – I guess – a common ground how NOT to use USB sticks, which is to use them unencrypted with sensitive data on. They get lost. Heathrow airport learns this currently the hard way: Unencrypted USB stick with 2.5GB of data detailing airport security found in street – especially if the reports are true about the information, which is on the stick…

I am still convinced that the right approach to these scenarios is, to leverage a technology like Active Directory Rights Management to protect the information itself and not the device the data is on. If you do that, you do not care about USB-sticks and public websites anymore…. But it still seems a long way to go for such technologies – and I do not understand why.

This is a Security Bloggers Network syndicated blog post. Read the original at: Roger Halbheer on Security 2017-10-31.