Not long ago we released the revamped USB Enforced Encryption from Endpoint Protector 4 DLP which has been implemented successfully by many of our customers. We received great feedback, so we want to share more details about this solution with you.
What is Enforced Encryption?
For some time now, Enforced Encryption has become a best practice for security in case of USB devices, e-mail, internal HDDs, communications protocols, etc. Currently, we provide Enforced Encryption for USB devices allowing organizations to remotely deploy EasyLock, USB encryption software through Endpoint Protector 4 and thus forcing users to use only encrypted devices while transferring data. Instead of denying access to these devices, which would be unpractical, with the USB Enforced Encryption you protect data in case USB drives are lost or stolen.
Enforced Encryption is used for two strong reasons: security and compliance. To achieve security, organizations should encrypt data in transit and data at rest and should always make sure that decryption keys are in their control. Compliance goes hand in hand with security, so implementing security best practices is usually a direct route to it. Also for compliance, audit companies demand businesses to have the same security implementations for both Windows and Mac OS X, mainly because Macs are now integrated into the enterprise.
The solution is mostly used in financial companies because they collect and process highly sensitive financial records that could trigger a disaster for organizations and individuals if they were disclosed to unauthorized parties. Of course, that doesn’t mean other industries are not supposed to use it or that they do not use it.
Advantages of using our USB Enforced Encryption solution:
- Security and compliance
- Fast and easy installation
- Convenient licensing
- Increased control
- Increased employees’ awareness
- Alerts in case of security incidents
- Simplified user experience
Enforced USB Encryption with TrustedDevices
Developed by our team, the TrustedDevices architecture is an innovative concept and technology, designed to link Data Loss Prevention at the endpoint level with encryption at the device level. It is integrated into Endpoint Protector and EasyLock, the application featuring enterprise grade portable data encryption for increased data control at the device level.
There are 6 security levels for TrustedDevices in Endpoint Protector 4 Device Control solution:
- Allow Access if TD Level 1
It is a software-based encryption, turning any USB device into a TrustedDevice Level 1 with the EasyLock software. The encryption application has to be previously installed by the Administrator on the USB device and the Endpoint Protector client installed on the employee’s computer. When the user accesses the device, the EasyLock wizard pops up and a password has to be setup which decrypts the already existing data on the device. The newly transferred data is encrypted on the fly and protected by a password.
- Allow Access if TD Level 2
This is a medium security level with biometric data protection or advanced software-based data encryption, including Trek ThumbDrive.
- Allow Access if TD Level 3
Required by HIPAA, SOX, GLBA, Basel II, PCI, and other regulations, the TD Level 3 is a high-security level with strong hardware-based encryption. Some of the devices that are compatible with our TD Level 3 policy are devices encrypted with BitLocker, FileVault, iStorage datAshur, Kingston DataTraveler Locker, SaferZone Token, Verbatim V-Secure, Buffalo SecureLock, Kanguru Defender Elite, and others.
- Allow Access if TD Level 3, otherwise Read Only
This is a policy related to the above, meaning that if any other devices that are not on the list are connected, users will have access only to read the files on it, but not copy them to other location, to change their name, etc.
- Allow Access if TD Level 4
It ensures maximum security for military, government, and secret agencies use. Level 4 TrustedDevices include hardware encryption and they are FIPS 140 certified. Devices that work with TD Level 4 policy are SafeStick BE, Kanguru Elite (2000 & 3000), and Stealth MXP Bio.
- Allow Access if TD Level 1+
As an upgrade from TD Level 1, this is the latest added level. The improvement includes the remote installation of EasyLock on portable storage devices, saving time and making the encryption process easy and straightforward. When USB storage devices are connected to employees’ computers that have the Endpoint Protector client installed, EasyLock is pushed automatically, forcing users to transfer data only to the encrypted container of the device.
Why is TD Level 1+ more commonly used than Level 2, 3, and 4?
First of all, a common scenario in organizations is that employees bring their own USB stick (BYOD) to work and connect it to company computers. So, even if companies give users hardware-encrypted devices, it frequently happens that employees use their USB thumb drives which most of the times are not encrypted. In this case, the implementation of TD Level 1+ with Endpoint Protector 4 enforces users to encrypt any USB device they connect.
Secondly, hardware-encrypted devices are far more expensive than regular USB devices together with the EasyLock software encryption. A simple Google search shows that a hardware-encrypted 16 GB datAshur device costs £72.03 on Amazon UK, while a Kingston 16 GB device is £5.99 and the EasyLock perpetual license starts at £19.89. Therefore, it is more cost-effective to give to employees regular USB drives with software-encryption than hardware-encrypted devices. In the end, businesses want a solution which is affordable, cross-platform, and easy to use.
A third reason is the fact that USB devices encrypted with BitLocker or FileVault work only on Windows, respectively Mac OS X. They cannot be used from one OS to the other, making both Administrators’ and users’ job complicated. So, even if they are free, these encryption solutions are best suitable for just Windows or Mac OS X networks, not mixed ones.
EasyLock Enforced Encryption works on Windows and Mac OS X, simplifying things for cross-platform networks. Two important features that are available in Endpoint Protector 4 and have to do with EasyLock are File Tracing and Offline File Tracing. File Tracing is the capability of detecting what files have been transferred through EasyLock encrypted devices and the offline addition means that tracking of files can be done also when the computer is out of the company network. These features offer great visibility into data movement to USB storage devices, so even if data is safely encrypted, Administrators can choose to completely deny access to devices or to report incidents to the management based on the type of data being copied.
The Device Control technology combined with USB Enforced Encryption is a powerful security solution, minimizing the risks associated with lost or stolen portable storage devices. Should you choose to extend your security implementation with hardware or software-based encryption, take your time to consider the pros and cons to each option, depending on your infrastructure, your users’ profile, budget, type of data to secure, and other important details for your company.
This article about encryption might also interest you.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
