I’ve talked to several organizations (commercial and federal governments) that have banned the use of all USB flash drives as part of a data loss prevention (DLP) strategy. This may indeed be necessary and provides immediate protection of data loss. However, its a blunt, coarse control that really doesn’t solve the underlying problem. Such drastic policies get in the way of legitimate users trying to do their job. Worse, such policies are merely “security theatre” if other ways that information may escape (email, instant messaging, fax, FTP, VoIP, printing and so on) aren’t also addressed.
So what is the root of the problem? Consider what we’ve learned with application security. There is broad industry consensus that shielding and patching after the fact are symptomatic of a faulty development process. For example, we can put up a web application firewall to shield a vulnerable application but we really haven’t solved the problem. To properly address application security issues we must change the way we produce (and procure) applications. We have to get back further into the development process when new applications are created.
Let’s apply this insight to information security. Banning USB flash drives is symptomatic of a faulty information security lifecycle process. Rather than treat the symptoms, we must get back further into the information lifecycle to understand how, when and where sensitive information will be created or acquired. It’s at this point in the information lifecycle that we need to define (and enforce) policies on the information as it moves on to be consumed by systems and users.
Instead of a policy like “nobody is allowed to use a USB flash drive”, a control that enforces a policy like “anyone can use a USB flash drive, but don’t allow sensitive data to be copied to a USB drive” makes more sense. Better, how about a control that enforces a policy like “don’t allow sensitive data to be copied to a USB drive unless the data (or the drive itself) is encrypted”.
The problem is, we don’t really have a good handle on what data is sensitive, how it is used, how if moves around, what systems and users rely on it and how and where it is stored. That’s the real problem DLP projects need to tackle.
Instead, we treat the symptoms… like banning USB flash drives.