Solutions for Portable Security

In the world of managed secure USB storage devices we are seeing more requests for a “Remote Kill” or “Remote Wipe” feature. The idea is quite simple. From a central point of management an administrator can mark a particular device (say by serial number) to be disabled or wiped whenever it is detected plugged into some machine on the Internet. Sounds great, right? It would be, except that achieving this capability in reality is not so simple.

I can think of two common remote kill scenarios that organizations are interested in:
· Lost or stolen device
· Rogue employee

If a device goes missing, there is great peace of mind in knowing that the data on the device is completely inaccessible should it end up in the hands of anyone but the owner.  Remote kill would certainly ensure that this is the case.  However, strong authentication mechanisms and policies (password rules, retry limits, device blocking on too many bad attempts, etc.), and hardware based encryption, can achieve the same level of assurance that your data is safe and inaccessible without deploying remote kill.  That being said, if you hadn’t set up your authentication polices properly or your device security is not fully implemented in hardware then a remote kill feature would definitely be a good remedy in this situation.

The rogue employee scenario is where it starts getting a bit complicated.  To understand why, we need to look at how remote kill works for a USB device.  Making remote kill 100% effective over the Internet requires some kind of policy enforcement server to be involved in every attempt to access the device (by 100% effective I mean that when an administrator wants to kill a device, the policy takes effect immediately and kills the device the next time it is accessed).  The policy server would ideally take part in the authentication process and a user would not be able to access the device without the server also permitting it.  At this level of involvement the remote kill function can be a message from the policy server to execute a data destruct or block command on the device, instead of the usual authentication.

Unlike cell phones USB storage devices do not have an “always on” connection to some central location.  They are only Internet accessible if the machine that it is plugged into has a connection.  You could enforce a strict connection policy but it would mean that employees cannot access their removable storage in off-line environments like on a plane.  To address the need to have off-line access some remote kill implementations allow grace periods where you are allowed to access your device for a certain period of time or a certain number of times before you need to make a connection to the policy server.

The rogue employee scenario makes the policy decision rather difficult.  Say you want to terminate the employee.  You’d like to be able to disable all access to sensitive information immediately.  The employee, knowing that he is about to be terminated and knowing that there are grace periods, simply needs to disconnect from the network and copy all the data from his USB device in one session.  Unfortunately, in this situation, the grace period allows remote kill to be easily defeated just when you need it the most.

There are options that help mitigate the risks while providing more off-line flexibility.  For example you may allow grace periods for frequent travelers but not for other employees.  Alternatively, grace periods could be disabled for office employees or teleworkers because network connectivity is required for productivity anyway.  You might only allow removable storage devices to be used on managed machines even when they are off-line (McAfee ePO has this capability with MXI Security USB devices).  This approach works if you have also implemented good data leakage prevention on the corporate machines. 
 
You can’t get away from the fact that there are always risk/cost/productivity tradeoffs when it comes to security policies and remote kill is no exception.  If you are looking at remote kill for USB devices, be aware of the limitations and think about whether the available policies are going to suit your security needs.