Page 60 - Security Today, April 2022
P. 60
Advanced Technology
ufirst/Shutterstock.com
Hardware-Encrypted USB Drives: Best for Compliance
In every one of these regulatory and compliance instances, hardware- encrypted USB drives—the same ones preventing you from being a victim of BadUSB—are the best option to ensure data security and meet applicable compliance regulations. Here is why:
• Encryption is always ON: There is no way for users to turn off encryption, reset the password rules (minimum length, complexity) and disable the automatic password retries. Unlike software encryption, which does not prevent repeated password guessing through software dictionary attacks, the hardware versions limit password retries to 10 times or fewer—and wipe out the data when the wrong passwords are entered ten times in a row.
• Also, offer custom Product IDs (PIDs) that can be set up for a specific company. These premium drives have a digital identifier programmed into them so that if a drive is plugged into the company's inner or outer firewall, the drive can be identified as a company-issued drive. For example, if an employee loses the company drive and sneakily buys the same model at retail, the newly purchased drive will not validate on the company network. This customization adds another layer of security on the use of USB drives.
•Uses a dedicated processor that is physically located on the encrypted drive.
• Processor contains random number generators to generate an encryption key, which the user's password will unlock.
• Performance is increased by off-loading encryption from the host system.
• Include safeguard keys and critical security parameters within crypto-hardware.
• Authentication takes place on the hardware.
• The host PC does not require any type of driver installation or
software installation.
• Protect against the most common attacks, such as cold-boot attacks, malicious code and brute force attacks.
Software Encryption: Big No-No for Compliance Purposes
For many school security professionals, software encryption can offer the same encryption capabilities as hardware-encrypted USB drives but at a lower cost. Schools moving to software encryption for compliance purposes do so at their own risk, as there is a definite dark side to software-based encryption.
Software encryption is considered removable encryption. That means users can remove the software encryption feature from their USB drives. Why, you ask, would they? Simply put, because they can, and they don't want to mess with having to use a password, or they forgot the password but needed to use the USB drive.
All is good, except for compliance purposes. The ease of removing data encryption means that the drive is now unencrypted, and the data that was encrypted on the drive is considered lost forever once the encryption is removed. Therefore, any data copied on the device once the encryption is removed is considered unsecured and potentially out of compliance, which can risk a violation of regulations.
Richard Kanadjian is currently the Technology and Business Manager of Kingston Technology's Encrypted USB unit. He joined Kingston in 1994 and has served the company in a variety of roles for both the Flash and DRAM divisions. Among his many positions, Mr. Kanadjian was a field applications engineer in the company's strategic OEM division, where he helped build relationships with leading PC and chipset manufacturers. Prior to his current role, Mr. Kanadjian was part of the SSD product engineering department, helping develop and support Kingston's enterprise SSDs on both a technical and customer level. Richard can be reached online at pr@kingston.com and via the Kingston company website at http://www.kingston.com.
16 campuslifesecurity.com | MARCH/APRIL 2022