How to Control Portable Storage Devices
By: Omer Kaan Aslim
July 14, 2020
77 percent of corporate end-users surveyed have used personal flash drives for work-related purposes.
Portable storage devices (e.g., USB thumb drives) pose a security risk to organizations but they also have legitimate use cases. Here is how your company can mitigate risks associated with removable storage devices while using them in a responsible manner.
What is a Portable Storage Device?
"A ‘portable storage device’ is a device that can be inserted into and removed from an information system, and is used to store data or information (e.g., text, video, audio, and/or image data)."
Examples of Portable Storage Devices
- USB Thumb Drives
- Floppy disks
- External Hard Drives
- SD Cards
Common Security Risks Associated with Portable Storage Devices
- They can carry malware. If an employee plugs it into their workstation it can potentially become infected.
- They make it easy to exfiltrate data. Without any security controls in place, an employee can copy their work files over and provide them to a third party.
- Most are unencrypted. If your company doesn’t provide its own encrypted USB storage devices then chances are that employees are using unencrypted devices.
- They are easy to lose. This can impact the availability of information and can impact confidentiality if the device is unencrypted.
The Best Strategy for Controlling Portable Storage Devices
In my experience, the best approach is to adopt a deny-all-allow-by-exception policy towards portable storage devices. This allows employees with a business need to continue using portable storage devices while reducing security risk. Using group policy, you can deny-all removable storage devices and allow authorized portable storage devices to be used on specific workstations. This is a bit cumbersome to set up but is well worth it. Some enterprise-grade antivirus solutions like BitDefender also allow you to do this. Make sure to configure your anti-virus software to scan any portable storage devices connected to your systems. Be sure to disable any portable storage device auto-play features on your operating systems. Finally, educate your users on the security risks associated with portable storage devices and your policies towards them.
Plan for Implementing a Deny-All-Allow-By-Exception Policy
- Create an acceptable use policy for portable storage devices.
- Before blocking all portable storage devices send out a survey to end-users to find out who uses portable storage devices and what the associated business need is.
- Verify the business needs of your users.
- Purchase encrypted portable storage devices for your users. I prefer Apricorn products because they can be used on any operating system, are encrypted, and are Pincode protected.
- Whitelist the purchased storage devices. Enforce the whitelist with technical controls (e.g., using group policy settings).
- Distribute your company controlled portable storage devices to users who have a business need. Be sure to document the serial number of the device and the name of the user it was provided to.
- Provide guidance to employees on the secure use of portable storage devices.
Portable Storage Device Alternative
Nowadays many companies use cloud storage services like Microsoft OneDrive or Google Drive. Companies have much more control over these storage locations than they have over portable storage devices. Cloud storage services allow you to limit access to files and folders by requiring users to authenticate. File sharing is also relatively secure as you can control who can view your file and for how long. You can even implement location-based restrictions. End-users are often unaware of these features which is partly why some prefer to share files the old fashion way using a USB thumb drive. Training end-users on how to leverage secure cloud storage capabilities instead of USB thumb drives can benefit productivity and security.
By not controlling the use of portable storage devices in your organization you open the door to data leaks and malware infections. The vast majority of end-users do not require portable storage devices to fulfill their duties. In my experience adopting a deny-all-allow-by-exception policy towards portable storage devices is a sound approach. If you have any questions feel free to reach out to us at info[@]cubcyber.com.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance