Mobile storage in the age of GDPR
Mobility is great, except when it comes to data. Then it can be a massive financial and legal headache. When on-the-go it is easier to lose devices – and the data they contain – than when you’re buttoned up at the office. Violators may be fined up to €20 million or up to 4% of the annual worldwide sales of an enterprise, whichever is greater.
While websites are the most obvious target of the GDPR, it applies to all personal data, no matter how collected. If you or your company collect personal information you’re liable.
GDPR isn’t the only reason to protect mobile data. Company proprietary data, such as CAD files for new products, software code, and non-disclosure presentations, are just a few examples of data that could be very damaging if competitors obtained them. Given that state actors are looking to give their countrymen a leg up, encryption is essential.
For mobile users
This creates a serious liability for those of us who are mobile. You can encrypt your notebook, tablet, and phone data, but how often do you always have everything you need with you? Under GDPR any data in transit also needs to be encrypted, which is easy enough if you use a VPN.
But download speeds can be wildly variable, and if you need to access gigabytes of data, the wait can be interminable. Also some countries censor or monitor internet access. A better solution: an encrypted USB thumb drive.
While there are many software encryption tools, they aren’t always compatible across different operating systems and, often, even different versions of an OS. If a Chromebook is the only computer available at a remote site, you can still work with an encrypted drive.
Or consider a factory floor. Headless programmable logic controllers may contain sensitive customer design data. Updates to that data can be placed on an encrypted USB drive set to autorun the update. Enter the password, plug in the drive, and you’ve simplified and secured the update process.
Encrypted mobile storage
Encrypting USB drives are the gold standard for secure mobile storage. You’ve seen them: they have tiny keypads for setting and entering passwords, removing the need for external software tools, and ensuring OS independence.
They’re available in capacities ranging from 4GB to 128GB, and typically use AES 256-bit encryption. Once the password is entered, the data is available at USB 3.0 speeds, about 500MB/sec, instead of, too often, a few MB/s download.
Many companies choose to buy encrypted drives in relatively small capacities, such as 8 to 16GB. This limits the amount of data an employee can remove from the premises, as well as reducing cost.
Of course, USB drives, encrypted or not, are small physical devices, and can be lost or stolen. That’s why it’s important that the drive be protected from physical intervention, typically with the electronics encased in epoxy.
Some vendors, such as Kingston, go a couple of steps further. They offer several forms of USB drive customization.
Endpoint management. If you use endpoint management software, such as Data Locker, a customized firmware drive identifier can ensure that only authorized drives can read and write data. An unauthorized drive can’t read or write data.
Color coding offers another layer of physical security. Some firms and agencies use color to indicate data classification – secret, top secret – or what department – engineering, finance – the drive is allocated to.
Some take that a step further, changing each function’s color every quarter or so, to ensure that drives are regularly returned and wiped. Some empower security to confiscate any non-compliant drives based on color.
Drive ID info. Many drives offer an option to put a “return to if lost” message on screen when an encrypted drive is plugged in. Some companies have this function disabled to avoid the embarrassment of revealing a drive has been lost. They’d rather just write it off, knowing that the data cannot be accessed.
Password tries. Users are commonly limited to 10 password attempts before the drive wipes itself. But some customers think 10 tries is too many, and may reduce the retry count to 5 or less.
The Storage Bits take
With the GDPR regulations, companies have a whole new level of liability for lost data. But if the data is lost on a suitably encrypted device, there is no liability.
With the summer travel season upon us, now is a good time for IT professionals to ensure that their users have the proper equipment to comply with GDPR regulations. Encrypted USB drives are likely to be a key component in a security plan for mobile users.
Comments welcome! I’ve done work for Kingston, but I welcome comments about other vendors and/or strategies.