Portable and Removable Devices Information Forum
-
Upload
robin-francis -
Category
Documents
-
view
30 -
download
0
description
Transcript of Portable and Removable Devices Information Forum
1
Portable andPortable andRemovable DevicesRemovable DevicesInformation ForumInformation Forum
Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer
Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office
2
AgendaAgenda What is a portable / removable deviceWhat is a portable / removable device Policy requirementsPolicy requirements Agency PanelAgency Panel
Richard Rylander, Dept. of Justice Richard Rylander, Dept. of Justice Herman Davis, Dept. of Revenue Herman Davis, Dept. of Revenue Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and
WildlifeWildlife Key considerationsKey considerations Related policiesRelated policies Q&AQ&A
3
What is a portable What is a portable device? device?
4
What is a portable What is a portable device? device?
5
What is a portable What is a portable device? device?
6
Statewide Policy Statewide Policy PurposePurpose
To ensure the confidentiality, integrity, To ensure the confidentiality, integrity, and availability of state information and availability of state information assets stored on portable or removable assets stored on portable or removable devicesdevices
To properly manage portable or To properly manage portable or removable storage devices, agencies removable storage devices, agencies must know what devices they have, must know what devices they have, where they are, who has them, how where they are, who has them, how they are being used, and what they are being used, and what information is stored on theminformation is stored on them
7
Statewide Policy Statewide Policy Agency ResponsibilitiesAgency Responsibilities
Identify types of approved devicesIdentify types of approved devices Govern use of personally-owned devicesGovern use of personally-owned devices Establish ways to track devicesEstablish ways to track devices Identify what information can be stored Identify what information can be stored
on deviceson devices Implement methods to secure the Implement methods to secure the
information on devicesinformation on devices
8
Use of portable/removable Use of portable/removable devices devices
30% are lost every year30% are lost every year
250,000 left in U.S. airports250,000 left in U.S. airports
22% users keep list of passwords on 22% users keep list of passwords on devicedevice
90% have: 90% have: insufficient power-on protection insufficient power-on protection
storage encryptionstorage encryption
1
2
3
4
1. Estimate from Sans Institute2. Motorola Mobile Device Security 20073. RSA, RSA Security Password Management Survey, September 20054. Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04
9
Agency PanelAgency Panel
Richard Rylander, Dept. of JusticeRichard Rylander, Dept. of Justice Herman Davis, Dept. of RevenueHerman Davis, Dept. of Revenue Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and
WildlifeWildlife
10
Agency PanelAgency Panel
Richard Rylander, Security Richard Rylander, Security CoordinatorCoordinator
Oregon Department of JusticeOregon Department of Justice
11
Identified DevicesIdentified Devices LaptopsLaptops Flash drivesFlash drives Micro drivesMicro drives Flash cardsFlash cards OthersOthers
iPodiPod Blackberry and cellular phones Blackberry and cellular phones
(covered separately by DOJ)(covered separately by DOJ)
12
Identified MediaIdentified Media MediaMedia
CD/DVDCD/DVD Diskettes (legacy 3.5”, removable HDs, Diskettes (legacy 3.5”, removable HDs,
etc.)etc.) TapesTapes
13
MethodsMethods PolicyPolicy
Portable & Removable Storage Device Portable & Removable Storage Device Data ClassificationData Classification Media TransportMedia Transport
User AwarenessUser Awareness Step by Step instructionsStep by Step instructions Short (30-minute) user classShort (30-minute) user class
14
MethodsMethods
TechnologyTechnology EncryptionEncryption
USB Flash drive – currently under testingUSB Flash drive – currently under testing KanguruMicro Flash DriveKanguruMicro Flash Drive
FIPS 140-2 CertifiedFIPS 140-2 Certified AES 256 EncryptionAES 256 Encryption HIPAA CompliantHIPAA Compliant
Enterprise solution – researching this Enterprise solution – researching this solutionsolution
DriveLockDriveLock Control who can attach devices to a DOJ Control who can attach devices to a DOJ
systemsystem Control what can be attached to a DOJ systemControl what can be attached to a DOJ system
15
MethodsMethods
Laptop encryptionLaptop encryption ProtectDriveProtectDrive
Pilot test currently underwayPilot test currently underway User ControlsUser Controls
Limited usersLimited users No administrator rights on workstationsNo administrator rights on workstations
Can use only approved devicesCan use only approved devices Backup tapesBackup tapes
Fully encryptedFully encrypted Securely storedSecurely stored
16
MethodsMethods Knowledge Management SolutionKnowledge Management Solution
Hummingbird DM – under Hummingbird DM – under implementation implementation
Enforces data classification on all information Enforces data classification on all information placed within the repositoryplaced within the repository
Enforces security on all information placed Enforces security on all information placed within the repositorywithin the repository
Enforces document retention on all Enforces document retention on all information placed within the repository information placed within the repository
Audit logsAudit logs AccessAccess ModificationModification
17
Problems and ConcernsProblems and Concerns
Personal devicesPersonal devices ControlControl LiabilityLiability EncryptionEncryption
DOJ-owned devicesDOJ-owned devices AdministrationAdministration SupportSupport CostCost
Enterprise solutionEnterprise solution Encrypted flash drivesEncrypted flash drives
18
Agency PanelAgency Panel
Herman Davis, Senior Network Herman Davis, Senior Network ArchitectArchitect
Department of RevenueDepartment of Revenue
19
Identified DevicesIdentified Devices LaptopsLaptops Flash Drives/Thumb DrivesFlash Drives/Thumb Drives CDsCDs Blackberry and PDABlackberry and PDA
20
LaptopsLaptops PolicyPolicy
Must be encrypted unless an exception is Must be encrypted unless an exception is grantedgranted
Exceptions only for equipment used for Exceptions only for equipment used for training materials and equipmenttraining materials and equipment
MethodMethod Full drive encryptionFull drive encryption Centralized key managementCentralized key management Clear guidelines for handling loss of Clear guidelines for handling loss of
equipmentequipment User Awareness - Transparent to userUser Awareness - Transparent to user
21
Flash DrivesFlash Drives PolicyPolicy
Personal devices (of any type) not to be Personal devices (of any type) not to be connected to Revenue network or PCsconnected to Revenue network or PCs
MethodMethod Lock down USB ports on desktopsLock down USB ports on desktops
User AwarenessUser Awareness Training and education on policyTraining and education on policy
22
CDsCDs Policy – Portable devicesPolicy – Portable devices Business Need Business Need
Auditors required a method of transporting Auditors required a method of transporting customer specific information in a secure mannercustomer specific information in a secure manner
Wanted to use flash drives = risksWanted to use flash drives = risks MethodMethod
Burn encrypted CDs and provide to customer with Burn encrypted CDs and provide to customer with passwordpassword
Customer’s responsibility to dispose of CDCustomer’s responsibility to dispose of CD User Awareness User Awareness
Hands on training for staff with a need to use this Hands on training for staff with a need to use this tooltool
23
Blackberry and PDABlackberry and PDA PolicyPolicy
No personally-owned portable devices No personally-owned portable devices to connect to network or PCto connect to network or PC
Method Method Uninstall personally-owned devicesUninstall personally-owned devices Lock down administrative rights and Lock down administrative rights and
USB ports on PCsUSB ports on PCs Provide agency-owned Blackberry for Provide agency-owned Blackberry for
individuals with a business needindividuals with a business need
24
Blackberry and PDABlackberry and PDA Securing the BlackberrySecuring the Blackberry
Password protectPassword protect Remote management and wipeRemote management and wipe
Related Policies: E-mail securityRelated Policies: E-mail security No Federal Tax Data or State Tax Data No Federal Tax Data or State Tax Data
is to be transmitted via e-mailis to be transmitted via e-mail
25
Agency PanelAgency Panel
Doug Juergensen, Information Doug Juergensen, Information Systems Division Administrator / Systems Division Administrator /
CIOCIO
Department of Fish and WildlifeDepartment of Fish and Wildlife
26
What is a portable What is a portable device?device?
LaptopsLaptops USB ‘memory keys’USB ‘memory keys’ PDA (Personal PDA (Personal
Digital Assistants)Digital Assistants) Cell phonesCell phones
GPS devicesGPS devices Portable hard drivesPortable hard drives Combination unitsCombination units Agency data Agency data (it’s (it’s
not just about the not just about the hardwarehardware
Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.
27
The three CsThe three Cs ConnectivityConnectivity
Many devices started out as stand-alone Many devices started out as stand-alone units, difficult to use and interface units, difficult to use and interface (special data cables)(special data cables)
Most how have plug-and-play, wizard Most how have plug-and-play, wizard set-up, and automated synchronization set-up, and automated synchronization (wireless, USB)(wireless, USB)
28
The three CsThe three Cs CapabilityCapability
Devices had lacked robust applications Devices had lacked robust applications or tools; not very sophisticatedor tools; not very sophisticated
Today many operate a similar version of Today many operate a similar version of OS as a desktop computer – and can do OS as a desktop computer – and can do many of the same functionsmany of the same functions
29
The three CsThe three Cs CapacityCapacity
Not long ago, performance and storage Not long ago, performance and storage capacity was limited; devices were capacity was limited; devices were bulkybulky
Now very powerful, small, and Now very powerful, small, and extremely portableextremely portable
30
CapacityCapacity Early devices were typically limited to Early devices were typically limited to
16KB or 64KB (thousands of bytes)16KB or 64KB (thousands of bytes) Credit Card drives are the size of an Credit Card drives are the size of an
index card and easily store 1GB (billion index card and easily store 1GB (billion of bytes) or moreof bytes) or more 4 GB flash drive available at any store4 GB flash drive available at any store 8 GB flash drive is less than $1008 GB flash drive is less than $100 64 GB flash drive available for about 64 GB flash drive available for about
$1,200 – still the size of a pack of gum$1,200 – still the size of a pack of gum ½ TB (500GB) portable hard drives fit in ½ TB (500GB) portable hard drives fit in
your pocket!your pocket!
31
CapacityCapacity According to one source …According to one source …
1 Terabyte (TB) is all the x-ray files in a 1 Terabyte (TB) is all the x-ray files in a large hospitallarge hospital
10 Terabytes is the printed collection of 10 Terabytes is the printed collection of the U.S. Library of Congressthe U.S. Library of Congress
32
IT ManagementIT Management Large number of disparate devicesLarge number of disparate devices
Few, if any, ‘enterprise’ management Few, if any, ‘enterprise’ management toolstools
Limited administrative featuresLimited administrative features Lacks consistency in standards and Lacks consistency in standards and
compliance to standardscompliance to standards TrainingTraining
IT staff needs training on many devices, IT staff needs training on many devices, difficult to be expertsdifficult to be experts
Employees need training but may try Employees need training but may try ‘whatever works’‘whatever works’
33
IT ManagementIT Management Technical issuesTechnical issues
Many devices largely unsecured and Many devices largely unsecured and unmanagedunmanaged
Often lacks features we find ‘essential’ Often lacks features we find ‘essential’ on any other computeron any other computer FirewallFirewall VPN (Virtual Private Network)VPN (Virtual Private Network) Virus protectionVirus protection
Support and patchesSupport and patches Generally not updated or patchedGenerally not updated or patched
34
What about policy?What about policy? Most portable devices are the sexy, Most portable devices are the sexy,
market-driven, must-have productivity market-driven, must-have productivity tool that enhances our ability to work, tool that enhances our ability to work, but substantially increases the risk to but substantially increases the risk to agency dataagency data
If you can’t manage them If you can’t manage them electronically, is a written policy and electronically, is a written policy and employee goodwill enough?employee goodwill enough?
Can you adequately train employees Can you adequately train employees about risks?about risks?
35
Compare and ContrastCompare and Contrast
Enterprise support toolsEnterprise support tools Multi-level authorityMulti-level authority Automated inventory Automated inventory
controlcontrol Rules-based securityRules-based security EncryptionEncryption Patch managementPatch management Complex authentication Complex authentication
(ID and password)(ID and password)
Remote accessRemote access Wake on LANWake on LAN FirewallFirewall VPNVPN FiltersFilters Security upgradesSecurity upgrades
Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …
36
Compare and ContrastCompare and Contrast
Wireless (802.11, Bluetooth, Wireless (802.11, Bluetooth, cellular)cellular)
Plug-and-playPlug-and-play
Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …
37
What about ODFW?What about ODFW? Laptops are now secured using VPN Laptops are now secured using VPN
for connections away from the officefor connections away from the office Access to e-mail, Internet, and file-sharingAccess to e-mail, Internet, and file-sharing
PDAs are widely used but are not PDAs are widely used but are not Internet enabledInternet enabled
USB thumb drives are available to all USB thumb drives are available to all employeesemployees Not asset tagged, but logged in Not asset tagged, but logged in
purchasing system to user or managerpurchasing system to user or manager Considering an internal audit to assess Considering an internal audit to assess
asset control/lossasset control/loss
38
What about ODFW?What about ODFW? Cell phone / PDA combos are few Cell phone / PDA combos are few
and very limitedand very limited Requires approval by ISC and the Requires approval by ISC and the
Director’s officeDirector’s office Portable hard drivesPortable hard drives
Limited deploymentLimited deployment Requires ISD approvalRequires ISD approval
39
ChallengesChallenges Easy to use – just as easy to loseEasy to use – just as easy to lose Small size and capacity increases Small size and capacity increases
the potential risk factorsthe potential risk factors Many units deployedMany units deployed Easily sharedEasily shared Poor asset control mechanismsPoor asset control mechanisms
40
ChallengesChallenges Immature technologyImmature technology
Competitive market – rushed to Competitive market – rushed to deploymentdeployment
Compliance to standardsCompliance to standards Administrative controlsAdministrative controls Virus protectionVirus protection Security / encryptionSecurity / encryption Patch management and updatesPatch management and updates
IT staffing and supportIT staffing and support Training (help desk and employees)Training (help desk and employees)
41
Risk vs. BenefitRisk vs. Benefit Most IT shops are faced with a dilemmaMost IT shops are faced with a dilemma How much risk is acceptable?How much risk is acceptable? Does the business side of the agency Does the business side of the agency
comprehend the complex and technical comprehend the complex and technical issues to make an informed decision?issues to make an informed decision?
With the potential of multiple devices With the potential of multiple devices per employee (not just one PC), is there per employee (not just one PC), is there support for additional IT staff?support for additional IT staff?
42
Questions?Questions?
43
Agency ConsiderationsAgency Considerations
Amy McLaughlin, Program ManagerAmy McLaughlin, Program Manager
Enterprise Security OfficeEnterprise Security Office
44
Key ConsiderationsKey Considerations What business drivers require the What business drivers require the
use of portable/removable devices?use of portable/removable devices? What devices are acceptable to use?What devices are acceptable to use? Who needs to use these devices?Who needs to use these devices? What information should/should not What information should/should not
be stored on these devices?be stored on these devices? How can the devices be protected?How can the devices be protected?
45
Use of portable/removable Use of portable/removable devicesdevices
Are portable/removable devices Are portable/removable devices needed?needed?
Other options:Other options: E-mail, encrypted to protect sensitive E-mail, encrypted to protect sensitive
informationinformation Secure File Transfer Protocol (SFTP)Secure File Transfer Protocol (SFTP) Upload to/download from networkUpload to/download from network Upload to/download from Upload to/download from
Internet/intranetInternet/intranet
46
DevicesDevices USBsUSBs
Consider purchasing USBs with built-in Consider purchasing USBs with built-in encryptionencryption
CDs / DVDsCDs / DVDs Consider password protecting or Consider password protecting or
encrypting mediaencrypting media Laptops, palmtopsLaptops, palmtops
Use whole-disc encryption for devices Use whole-disc encryption for devices storing sensitive informationstoring sensitive information
Use encryption for individual filesUse encryption for individual files
47
DevicesDevices Blackberries, PDAsBlackberries, PDAs
Encrypt sensitive informationEncrypt sensitive information Use a password and time-out featureUse a password and time-out feature Use remote management and wipe Use remote management and wipe
featuresfeatures
48
AuthorizationAuthorization Establish policy to authorize who Establish policy to authorize who
may use portable devicesmay use portable devices Determine if personal devices can be Determine if personal devices can be
used or only agency-issued devicesused or only agency-issued devices
49
Sensitive InformationSensitive Information Establish policy to authorize what Establish policy to authorize what
type of information can be type of information can be stored/transmitted on a devicestored/transmitted on a device Classify the informationClassify the information Restrict use of devices to store/transmit Restrict use of devices to store/transmit
Level 3 and Level 4 informationLevel 3 and Level 4 information If Level 3 and Level 4 information is If Level 3 and Level 4 information is
stored/transmitted, employ controls stored/transmitted, employ controls such as encryptionsuch as encryption
50
ControlsControls If use of devices is If use of devices is notnot authorized, authorized,
consider appropriate controlsconsider appropriate controls Disable USB portsDisable USB ports Disable CD/DVD write capabilityDisable CD/DVD write capability Remove administrative rights to PCs; Remove administrative rights to PCs;
prevent user ability to install hardware prevent user ability to install hardware and softwareand software
Define help desk procedures for Define help desk procedures for handling rogue deviceshandling rogue devices
Use purchasing oversight to prevent Use purchasing oversight to prevent purchase of banned devicespurchase of banned devices
51
ControlsControls If use of devices If use of devices isis authorized, authorized,
consider appropriate controlsconsider appropriate controls Use whole disc encryptionUse whole disc encryption Encrypt sensitive filesEncrypt sensitive files Use lock-out and password protection Use lock-out and password protection
featuresfeatures Enable remote management and remote Enable remote management and remote
disabling capabilitiesdisabling capabilities Use one time use passwords or number Use one time use passwords or number
generatorsgenerators
52
Related PoliciesRelated Policies Controlling Portable and Removable Controlling Portable and Removable
Storage Devices (107-004-051)Storage Devices (107-004-051) Information Asset Classification (107-Information Asset Classification (107-
004-050)004-050) Transporting Information Assets (107-Transporting Information Assets (107-
004-100)004-100) Acceptable Use of State Information Acceptable Use of State Information
Assets (107-004-110)Assets (107-004-110) Information Technology Asset Information Technology Asset
Inventory/Management (107-004-010)Inventory/Management (107-004-010)
53
For further information For further information ……
Theresa Masse, DAS Enterprise Security OfficeTheresa Masse, DAS Enterprise Security Office(503) 378-4896, (503) 378-4896, [email protected]@state.or.us
Richard Rylander, Dept. of JusticeRichard Rylander, Dept. of Justice(503) 378-5957, (503) 378-5957, [email protected]@state.or.us
Herman Davis, Dept. of RevenueHerman Davis, Dept. of Revenue
(503) 945-8042, (503) 945-8042, [email protected]@state.or.us Doug Juergensen, Dept. of Fish and WildlifeDoug Juergensen, Dept. of Fish and Wildlife
(503) 947-6261, (503) 947-6261, [email protected]@state.or.us
54
Next Forum …Next Forum …
EncryptionEncryptionTools and TechniquesTools and Techniques
Panel PresentationPanel Presentation
May 20, 2008May 20, 2008