Those who deal with sensitive data must take special care when storing files on removable media such as USB flash drives. Encryption is best way to protect this data from accidental disclosure – it makes files indecipherable to unauthorized users.
The UM Box service provides encryption both in transit and at-rest. Cloud storage is not always practical for certain scenarios though, and it may not be allowed for all types of sensitive data. When cloud storage is not an option, encrypted USB drives may be the most ideal medium for data storage/sharing purposes.
The most secure and simple option is to use a USB drives with hardware-based encryption technology. The Office of Information Technology (IT) has tested Kingston’s IronKey™ D300 USB Flash drive with good results.
There are several benefits to using this drive and hardware-based encryption technology:
- They are specifically designed to protect sensitive data – the security is built into the device.
- They come in several storage capacities. 16 GB would be a solid minimum recommendation.
- They are simple to setup and use. You do not have to be a techie to use hardware-encryption.
- They prompt for a password when inserted into a computer. The password can be easily changed.
- They are compatible with Mac and Windows. No special drivers or prior-setup is necessary.
- They meet federal standards (FIPS 140-2 Level 3) and most compliance obligations.
Importantly, if a hardware-encrypted device that is used for sensitive data is accidentally lost, you would likely NOT have to be concerned. And this likely would NOT result in a reportable incident. Most would consider the extra cost for this justifiable – peace of mind and cheap insurance for the protection it provides against a data breach.
One alternative to using this type of special drive is to utilize software-based full-disk encryption instead (for example, using Microsoft Bitlocker). This can be applied to most any USB drives. However, it typically requires more technical knowledge. Also, if a drive used to store legally sensitive data is lost, you may be required to prove that software-encryption was implemented properly to avoid a public breach notification.
- Technology such as this should only be procured from reputable approved sources.
- Mobile computing devices or removable storage media must be approved by IT before they can be used to store sensitive information.
- Sensitive data must be properly encrypted on UM mobile computing devices or removable storage media.
- Some sensitive data and Personally Identifiable Information (PII) may be regulated and have encryption requirements defined by law (i.e., HIPAA, GLBA, ITAR/EAR, FISMA, certain CUI).
- Please refer to the UM Information Confidentiality/Security Policy and the Storage Platform Guide in Appendix A for any additional requirements and restrictions.
If you have any questions, please contact UM IT Security.
Tags: infosec, IT Security, security