Enterprise environments which handle DoD or highly sensitive information frequently have to deal with how to handle removable USB drives. To ensure you meet NIST 800-171 and CMMC for handling ITAR and CUI you need to make sure the drives are encrypted and controlled.
Removable USB data drives are key business requirements especially in engineering environments that relay on on-site equipment. Use of low-level hardware or to exchange information from manageable to unmanageable systems used in R&D environments typically require use of USB drives to flash, program, or move data across the systems. Also with air-gapped environments there is a valid business need to move data across the environments.
While there are a number of solutions which can help there is one that I recommend.
Recommended Solution: SecureData Drives with AzureAD integrated Remote Management
When working with removable media you need to take into account a few items
- Data stays encrypted per FIPS 140-2 standards at rest
- Data is accessed only by authorized persons using the individuals identity in an auditable way
- The drive is lost/stolen that data can be remote wiped and restricted
- All unlocks of the data is audited and tracked
- Minimize overhead to manage access by integrating with existing Azure Active Directory
Some additional items to consider:
- Ensure data can only be accessed after the assigned individual use MFA to authenticate
- Ensure the data can only be accessed when in approved Geo-Location
- Drive data can be accessed/assigned after the original person leaves the company or organization
- Allow more than one account to access the data on a drive and audited individually
- 3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
- 3.8.1 – Protect (i.e. physically control and securely store) system media containing CUI, both paper and digital.
- 3.8.5 – Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
- 3.8.6 – Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
- 3.8.7 – Control the use of removable media on system components
- 3.8.8 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
- 3.9.2 – Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
- The authentication to RM will utilize SAML, this protocol doesn’t perform authentication of the client to the SAML IDP (Azure Active Directory)
- You need to ensure you have Intune Endpoint Management/JAMF to verify compliance and health of the endpoint (iOS/Android)
- Having a protocol and system for users when you need to block access is important
- Secure Data – Remote management – doesn’t have a protocol for emergency blocking access for an unlocked drive
- In the event emergency block access will need to leverage Intune remove lock/wipe process to prevent access past access lockdown.
- Even with the technical controls and access, the end user could connect the drive to any system. Policies and processes are important to ensure data is only approved systems.
Key Advantages to SecureData Drives:
- Allows authentication and authorization prior to allowing access to the drive
- Unlike other encrypted drives. The Secure Data drives management channel is fully isolated from the data channel. This ensures that SecureData can’t access the data on the drives.
- Allows remote wipe of drives
- Allows Geo-Fencing to restrict where the drive can be used
- Allows Time restrictions on when the drive can be used
- Connection to AzureAD ensures that MFA is done prior to unlock
- Allows access to be granted to more than 1 user without sacrificing auditing and non-repudiation
At a high-level here are the general setup steps.
- Create AzureAD Application
- Setup Conditional Access policy to limit access
- Provide ApplicationID/ClientID to email@example.com to provision access
Part-2 will cover the actual setup process.