1

Portable andPortable andRemovable DevicesRemovable DevicesInformation ForumInformation Forum

Theresa A. Masse, State Chief Information Theresa A. Masse, State Chief Information Security OfficerSecurity Officer

Department of Administrative ServicesDepartment of Administrative ServicesEnterprise Security OfficeEnterprise Security Office

2

AgendaAgenda What is a portable / removable deviceWhat is a portable / removable device Policy requirementsPolicy requirements Agency PanelAgency Panel

Richard Rylander, Dept. of Justice Richard Rylander, Dept. of Justice Herman Davis, Dept. of Revenue Herman Davis, Dept. of Revenue Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and

WildlifeWildlife Key considerationsKey considerations Related policiesRelated policies Q&AQ&A

3

What is a portable What is a portable device? device?

4

What is a portable What is a portable device? device?

5

What is a portable What is a portable device? device?

6

Statewide Policy Statewide Policy PurposePurpose

To ensure the confidentiality, integrity, To ensure the confidentiality, integrity, and availability of state information and availability of state information assets stored on portable or removable assets stored on portable or removable devicesdevices

To properly manage portable or To properly manage portable or removable storage devices, agencies removable storage devices, agencies must know what devices they have, must know what devices they have, where they are, who has them, how where they are, who has them, how they are being used, and what they are being used, and what information is stored on theminformation is stored on them

7

Statewide Policy Statewide Policy Agency ResponsibilitiesAgency Responsibilities

Identify types of approved devicesIdentify types of approved devices Govern use of personally-owned devicesGovern use of personally-owned devices Establish ways to track devicesEstablish ways to track devices Identify what information can be stored Identify what information can be stored

on deviceson devices Implement methods to secure the Implement methods to secure the

information on devicesinformation on devices

8

Use of portable/removable Use of portable/removable devices devices

30% are lost every year30% are lost every year

250,000 left in U.S. airports250,000 left in U.S. airports

22% users keep list of passwords on 22% users keep list of passwords on devicedevice

90% have: 90% have: insufficient power-on protection insufficient power-on protection

storage encryptionstorage encryption

1

2

3

4

1. Estimate from Sans Institute2. Motorola Mobile Device Security 20073. RSA, RSA Security Password Management Survey, September 20054. Gartner Group, Magic Quadrant for Mobile Data Protection, 1H04

9

Agency PanelAgency Panel

Richard Rylander, Dept. of JusticeRichard Rylander, Dept. of Justice Herman Davis, Dept. of RevenueHerman Davis, Dept. of Revenue Doug Juergensen, Dept. of Fish and Doug Juergensen, Dept. of Fish and

WildlifeWildlife

10

Agency PanelAgency Panel

Richard Rylander, Security Richard Rylander, Security CoordinatorCoordinator

Oregon Department of JusticeOregon Department of Justice

11

Identified DevicesIdentified Devices LaptopsLaptops Flash drivesFlash drives Micro drivesMicro drives Flash cardsFlash cards OthersOthers

iPodiPod Blackberry and cellular phones Blackberry and cellular phones

(covered separately by DOJ)(covered separately by DOJ)

12

Identified MediaIdentified Media MediaMedia

CD/DVDCD/DVD Diskettes (legacy 3.5”, removable HDs, Diskettes (legacy 3.5”, removable HDs,

etc.)etc.) TapesTapes

13

MethodsMethods PolicyPolicy

Portable & Removable Storage Device Portable & Removable Storage Device Data ClassificationData Classification Media TransportMedia Transport

User AwarenessUser Awareness Step by Step instructionsStep by Step instructions Short (30-minute) user classShort (30-minute) user class

14

MethodsMethods

TechnologyTechnology EncryptionEncryption

USB Flash drive – currently under testingUSB Flash drive – currently under testing KanguruMicro Flash DriveKanguruMicro Flash Drive

FIPS 140-2 CertifiedFIPS 140-2 Certified AES 256 EncryptionAES 256 Encryption HIPAA CompliantHIPAA Compliant

Enterprise solution – researching this Enterprise solution – researching this solutionsolution

DriveLockDriveLock Control who can attach devices to a DOJ Control who can attach devices to a DOJ

systemsystem Control what can be attached to a DOJ systemControl what can be attached to a DOJ system

15

MethodsMethods

Laptop encryptionLaptop encryption ProtectDriveProtectDrive

Pilot test currently underwayPilot test currently underway User ControlsUser Controls

Limited usersLimited users No administrator rights on workstationsNo administrator rights on workstations

Can use only approved devicesCan use only approved devices Backup tapesBackup tapes

Fully encryptedFully encrypted Securely storedSecurely stored

16

MethodsMethods Knowledge Management SolutionKnowledge Management Solution

Hummingbird DM – under Hummingbird DM – under implementation implementation

Enforces data classification on all information Enforces data classification on all information placed within the repositoryplaced within the repository

Enforces security on all information placed Enforces security on all information placed within the repositorywithin the repository

Enforces document retention on all Enforces document retention on all information placed within the repository information placed within the repository

Audit logsAudit logs AccessAccess ModificationModification

17

Problems and ConcernsProblems and Concerns

Personal devicesPersonal devices ControlControl LiabilityLiability EncryptionEncryption

DOJ-owned devicesDOJ-owned devices AdministrationAdministration SupportSupport CostCost

Enterprise solutionEnterprise solution Encrypted flash drivesEncrypted flash drives

18

Agency PanelAgency Panel

Herman Davis, Senior Network Herman Davis, Senior Network ArchitectArchitect

Department of RevenueDepartment of Revenue

19

Identified DevicesIdentified Devices LaptopsLaptops Flash Drives/Thumb DrivesFlash Drives/Thumb Drives CDsCDs Blackberry and PDABlackberry and PDA

20

LaptopsLaptops PolicyPolicy

Must be encrypted unless an exception is Must be encrypted unless an exception is grantedgranted

Exceptions only for equipment used for Exceptions only for equipment used for training materials and equipmenttraining materials and equipment

MethodMethod Full drive encryptionFull drive encryption Centralized key managementCentralized key management Clear guidelines for handling loss of Clear guidelines for handling loss of

equipmentequipment User Awareness - Transparent to userUser Awareness - Transparent to user

21

Flash DrivesFlash Drives PolicyPolicy

Personal devices (of any type) not to be Personal devices (of any type) not to be connected to Revenue network or PCsconnected to Revenue network or PCs

MethodMethod Lock down USB ports on desktopsLock down USB ports on desktops

User AwarenessUser Awareness Training and education on policyTraining and education on policy

22

CDsCDs Policy – Portable devicesPolicy – Portable devices Business Need Business Need

Auditors required a method of transporting Auditors required a method of transporting customer specific information in a secure mannercustomer specific information in a secure manner

Wanted to use flash drives = risksWanted to use flash drives = risks MethodMethod

Burn encrypted CDs and provide to customer with Burn encrypted CDs and provide to customer with passwordpassword

Customer’s responsibility to dispose of CDCustomer’s responsibility to dispose of CD User Awareness User Awareness

Hands on training for staff with a need to use this Hands on training for staff with a need to use this tooltool

23

Blackberry and PDABlackberry and PDA PolicyPolicy

No personally-owned portable devices No personally-owned portable devices to connect to network or PCto connect to network or PC

Method Method Uninstall personally-owned devicesUninstall personally-owned devices Lock down administrative rights and Lock down administrative rights and

USB ports on PCsUSB ports on PCs Provide agency-owned Blackberry for Provide agency-owned Blackberry for

individuals with a business needindividuals with a business need

24

Blackberry and PDABlackberry and PDA Securing the BlackberrySecuring the Blackberry

Password protectPassword protect Remote management and wipeRemote management and wipe

Related Policies: E-mail securityRelated Policies: E-mail security No Federal Tax Data or State Tax Data No Federal Tax Data or State Tax Data

is to be transmitted via e-mailis to be transmitted via e-mail

25

Agency PanelAgency Panel

Doug Juergensen, Information Doug Juergensen, Information Systems Division Administrator / Systems Division Administrator /

CIOCIO

Department of Fish and WildlifeDepartment of Fish and Wildlife

26

What is a portable What is a portable device?device?

LaptopsLaptops USB ‘memory keys’USB ‘memory keys’ PDA (Personal PDA (Personal

Digital Assistants)Digital Assistants) Cell phonesCell phones

GPS devicesGPS devices Portable hard drivesPortable hard drives Combination unitsCombination units Agency data Agency data (it’s (it’s

not just about the not just about the hardwarehardware

Electronic devices grew faster; now they are growing smaller. Many devices can now be considered portable and easily fit in your hand.

27

The three CsThe three Cs ConnectivityConnectivity

Many devices started out as stand-alone Many devices started out as stand-alone units, difficult to use and interface units, difficult to use and interface (special data cables)(special data cables)

Most how have plug-and-play, wizard Most how have plug-and-play, wizard set-up, and automated synchronization set-up, and automated synchronization (wireless, USB)(wireless, USB)

28

The three CsThe three Cs CapabilityCapability

Devices had lacked robust applications Devices had lacked robust applications or tools; not very sophisticatedor tools; not very sophisticated

Today many operate a similar version of Today many operate a similar version of OS as a desktop computer – and can do OS as a desktop computer – and can do many of the same functionsmany of the same functions

29

The three CsThe three Cs CapacityCapacity

Not long ago, performance and storage Not long ago, performance and storage capacity was limited; devices were capacity was limited; devices were bulkybulky

Now very powerful, small, and Now very powerful, small, and extremely portableextremely portable

30

CapacityCapacity Early devices were typically limited to Early devices were typically limited to

16KB or 64KB (thousands of bytes)16KB or 64KB (thousands of bytes) Credit Card drives are the size of an Credit Card drives are the size of an

index card and easily store 1GB (billion index card and easily store 1GB (billion of bytes) or moreof bytes) or more 4 GB flash drive available at any store4 GB flash drive available at any store 8 GB flash drive is less than $1008 GB flash drive is less than $100 64 GB flash drive available for about 64 GB flash drive available for about

$1,200 – still the size of a pack of gum$1,200 – still the size of a pack of gum ½ TB (500GB) portable hard drives fit in ½ TB (500GB) portable hard drives fit in

your pocket!your pocket!

31

CapacityCapacity According to one source …According to one source …

1 Terabyte (TB) is all the x-ray files in a 1 Terabyte (TB) is all the x-ray files in a large hospitallarge hospital

10 Terabytes is the printed collection of 10 Terabytes is the printed collection of the U.S. Library of Congressthe U.S. Library of Congress

32

IT ManagementIT Management Large number of disparate devicesLarge number of disparate devices

Few, if any, ‘enterprise’ management Few, if any, ‘enterprise’ management toolstools

Limited administrative featuresLimited administrative features Lacks consistency in standards and Lacks consistency in standards and

compliance to standardscompliance to standards TrainingTraining

IT staff needs training on many devices, IT staff needs training on many devices, difficult to be expertsdifficult to be experts

Employees need training but may try Employees need training but may try ‘whatever works’‘whatever works’

33

IT ManagementIT Management Technical issuesTechnical issues

Many devices largely unsecured and Many devices largely unsecured and unmanagedunmanaged

Often lacks features we find ‘essential’ Often lacks features we find ‘essential’ on any other computeron any other computer FirewallFirewall VPN (Virtual Private Network)VPN (Virtual Private Network) Virus protectionVirus protection

Support and patchesSupport and patches Generally not updated or patchedGenerally not updated or patched

34

What about policy?What about policy? Most portable devices are the sexy, Most portable devices are the sexy,

market-driven, must-have productivity market-driven, must-have productivity tool that enhances our ability to work, tool that enhances our ability to work, but substantially increases the risk to but substantially increases the risk to agency dataagency data

If you can’t manage them If you can’t manage them electronically, is a written policy and electronically, is a written policy and employee goodwill enough?employee goodwill enough?

Can you adequately train employees Can you adequately train employees about risks?about risks?

35

Compare and ContrastCompare and Contrast

Enterprise support toolsEnterprise support tools Multi-level authorityMulti-level authority Automated inventory Automated inventory

controlcontrol Rules-based securityRules-based security EncryptionEncryption Patch managementPatch management Complex authentication Complex authentication

(ID and password)(ID and password)

Remote accessRemote access Wake on LANWake on LAN FirewallFirewall VPNVPN FiltersFilters Security upgradesSecurity upgrades

Contrast the enterprise management systems such as the desktop PC, laptop, or network devices to portable devices. Ask yourself if they have …

36

Compare and ContrastCompare and Contrast

Wireless (802.11, Bluetooth, Wireless (802.11, Bluetooth, cellular)cellular)

Plug-and-playPlug-and-play

Consider the ease at which portable devices can be connected to your enterprise network and the potential impact …

37

What about ODFW?What about ODFW? Laptops are now secured using VPN Laptops are now secured using VPN

for connections away from the officefor connections away from the office Access to e-mail, Internet, and file-sharingAccess to e-mail, Internet, and file-sharing

PDAs are widely used but are not PDAs are widely used but are not Internet enabledInternet enabled

USB thumb drives are available to all USB thumb drives are available to all employeesemployees Not asset tagged, but logged in Not asset tagged, but logged in

purchasing system to user or managerpurchasing system to user or manager Considering an internal audit to assess Considering an internal audit to assess

asset control/lossasset control/loss

38

What about ODFW?What about ODFW? Cell phone / PDA combos are few Cell phone / PDA combos are few

and very limitedand very limited Requires approval by ISC and the Requires approval by ISC and the

Director’s officeDirector’s office Portable hard drivesPortable hard drives

Limited deploymentLimited deployment Requires ISD approvalRequires ISD approval

39

ChallengesChallenges Easy to use – just as easy to loseEasy to use – just as easy to lose Small size and capacity increases Small size and capacity increases

the potential risk factorsthe potential risk factors Many units deployedMany units deployed Easily sharedEasily shared Poor asset control mechanismsPoor asset control mechanisms

40

ChallengesChallenges Immature technologyImmature technology

Competitive market – rushed to Competitive market – rushed to deploymentdeployment

Compliance to standardsCompliance to standards Administrative controlsAdministrative controls Virus protectionVirus protection Security / encryptionSecurity / encryption Patch management and updatesPatch management and updates

IT staffing and supportIT staffing and support Training (help desk and employees)Training (help desk and employees)

41

Risk vs. BenefitRisk vs. Benefit Most IT shops are faced with a dilemmaMost IT shops are faced with a dilemma How much risk is acceptable?How much risk is acceptable? Does the business side of the agency Does the business side of the agency

comprehend the complex and technical comprehend the complex and technical issues to make an informed decision?issues to make an informed decision?

With the potential of multiple devices With the potential of multiple devices per employee (not just one PC), is there per employee (not just one PC), is there support for additional IT staff?support for additional IT staff?

42

Questions?Questions?

43

Agency ConsiderationsAgency Considerations

Amy McLaughlin, Program ManagerAmy McLaughlin, Program Manager

Enterprise Security OfficeEnterprise Security Office

44

Key ConsiderationsKey Considerations What business drivers require the What business drivers require the

use of portable/removable devices?use of portable/removable devices? What devices are acceptable to use?What devices are acceptable to use? Who needs to use these devices?Who needs to use these devices? What information should/should not What information should/should not

be stored on these devices?be stored on these devices? How can the devices be protected?How can the devices be protected?

45

Use of portable/removable Use of portable/removable devicesdevices

Are portable/removable devices Are portable/removable devices needed?needed?

Other options:Other options: E-mail, encrypted to protect sensitive E-mail, encrypted to protect sensitive

informationinformation Secure File Transfer Protocol (SFTP)Secure File Transfer Protocol (SFTP) Upload to/download from networkUpload to/download from network Upload to/download from Upload to/download from

Internet/intranetInternet/intranet

46

DevicesDevices USBsUSBs

Consider purchasing USBs with built-in Consider purchasing USBs with built-in encryptionencryption

CDs / DVDsCDs / DVDs Consider password protecting or Consider password protecting or

encrypting mediaencrypting media Laptops, palmtopsLaptops, palmtops

Use whole-disc encryption for devices Use whole-disc encryption for devices storing sensitive informationstoring sensitive information

Use encryption for individual filesUse encryption for individual files

47

DevicesDevices Blackberries, PDAsBlackberries, PDAs

Encrypt sensitive informationEncrypt sensitive information Use a password and time-out featureUse a password and time-out feature Use remote management and wipe Use remote management and wipe

featuresfeatures

48

AuthorizationAuthorization Establish policy to authorize who Establish policy to authorize who

may use portable devicesmay use portable devices Determine if personal devices can be Determine if personal devices can be

used or only agency-issued devicesused or only agency-issued devices

49

Sensitive InformationSensitive Information Establish policy to authorize what Establish policy to authorize what

type of information can be type of information can be stored/transmitted on a devicestored/transmitted on a device Classify the informationClassify the information Restrict use of devices to store/transmit Restrict use of devices to store/transmit

Level 3 and Level 4 informationLevel 3 and Level 4 information If Level 3 and Level 4 information is If Level 3 and Level 4 information is

stored/transmitted, employ controls stored/transmitted, employ controls such as encryptionsuch as encryption

50

ControlsControls If use of devices is If use of devices is notnot authorized, authorized,

consider appropriate controlsconsider appropriate controls Disable USB portsDisable USB ports Disable CD/DVD write capabilityDisable CD/DVD write capability Remove administrative rights to PCs; Remove administrative rights to PCs;

prevent user ability to install hardware prevent user ability to install hardware and softwareand software

Define help desk procedures for Define help desk procedures for handling rogue deviceshandling rogue devices

Use purchasing oversight to prevent Use purchasing oversight to prevent purchase of banned devicespurchase of banned devices

51

ControlsControls If use of devices If use of devices isis authorized, authorized,

consider appropriate controlsconsider appropriate controls Use whole disc encryptionUse whole disc encryption Encrypt sensitive filesEncrypt sensitive files Use lock-out and password protection Use lock-out and password protection

featuresfeatures Enable remote management and remote Enable remote management and remote

disabling capabilitiesdisabling capabilities Use one time use passwords or number Use one time use passwords or number

generatorsgenerators

52

Related PoliciesRelated Policies Controlling Portable and Removable Controlling Portable and Removable

Storage Devices (107-004-051)Storage Devices (107-004-051) Information Asset Classification (107-Information Asset Classification (107-

004-050)004-050) Transporting Information Assets (107-Transporting Information Assets (107-

004-100)004-100) Acceptable Use of State Information Acceptable Use of State Information

Assets (107-004-110)Assets (107-004-110) Information Technology Asset Information Technology Asset

Inventory/Management (107-004-010)Inventory/Management (107-004-010)

53

For further information For further information ……

Theresa Masse, DAS Enterprise Security OfficeTheresa Masse, DAS Enterprise Security Office(503) 378-4896, (503) 378-4896, theresa.a.masse@state.or.ustheresa.a.masse@state.or.us

Richard Rylander, Dept. of JusticeRichard Rylander, Dept. of Justice(503) 378-5957, (503) 378-5957, richard.rylander@state.or.usrichard.rylander@state.or.us

Herman Davis, Dept. of RevenueHerman Davis, Dept. of Revenue

(503) 945-8042, (503) 945-8042, herman.davis@state.or.usherman.davis@state.or.us Doug Juergensen, Dept. of Fish and WildlifeDoug Juergensen, Dept. of Fish and Wildlife

(503) 947-6261, (503) 947-6261, douglas.juergensen@state.or.usdouglas.juergensen@state.or.us

54

Next Forum …Next Forum …

EncryptionEncryptionTools and TechniquesTools and Techniques

Panel PresentationPanel Presentation

May 20, 2008May 20, 2008