USB drive security project: In search of secure USB drive, CoCO compliance

Caerphilly Council, concerned about USB drive security, describes its search and implementation of a USB drive security product from Safend, which also made Code of Connection (CoCo) compliance easier.

A rash of press stories about USB drive security and lost devices convinced Vernon Coles, principal IT security officer for Caerphilly County Borough Council, that his own organisation should do something about the growing use of memory sticks for storing and transferring information.

Not that Caerphilly Council took information security lightly. The council had become only the second in the U.K. to achieve BS 7799 (now ISO 27001) security accreditation back in 2006, and the organisation was already a big user of McAfee Inc. products to protect the 9,000 computers for which it is responsible on its own network and in local schools. It also uses McAfee's Safeboot product for encryption on the council's 900 laptop machines.

Coles looked at available endpoint protection products in 2006, but found the available products lacking.

"We had just been accredited for BS 7799, and having got best practices in place, we wanted to make the infrastructure more secure," he said. "At that stage, the available endpoint protection products were not very mature," which led them to delay the project.

More resources about USB drive security

What are USB drive security best practices?

How to enforce USB security policy


 But the rising tide of bad-news stories recently put the subject of USB drive security back on the agenda, and this time he managed to find six products worthy of consideration.

"We put together a detailed specification and we had a couple of mandatory requirements," Wells said. "We needed to be able to identify a USB device by serial number and track its use with a full audit trail. It also had to be tamper-proof."

They whittled the list of six products down to two, and then brought in a team from the NCC Group, a consultancy, to spend three days trying to crash the products or tamper with them. Both products stood up well, but the NCC team said they found the offering from Philadelphia, Pa.-based Safend Inc. was slightly more robust. "They felt it was just a little more frustrating to try to break," said Coles, who declined to say which was the other product in the test.

Working with Safend partner Vigil Software Ltd, Caerphilly Council installed and deployed the software in monitor mode only for the first six months, to get a clear picture of the extent of USB devices by the council's 900 users. It was able to track exactly what devices were plugged into every computer on the network, and when they were plugged in. That turned out to be quite revealing.

"It gave us some amazing figures against each device -- what was plugged in and when," Coles said. "We found a lot of pen drives that could have been bought anywhere were plugged into our network."

Following that revelation, they decided to ban the use of all non-approved USB drive security devices and supply everyone with an encrypted USB stick supplied by Kingston Technology Corp. Each secure USB drive carries the Caerphilly logo and has a unique serial number. That number is recorded at the time of issue and recorded against the user's name on the central system. Safend enforces encrypted USB drives; access to the content is via username and password.

The Safend client agent on each of the council's PCs prevents any other unauthorised sticks -- or any other USB devices such as CDs or DVDs -- from being connected to the machines.

In addition, each secure USB drive is loaded with Safend's offline access utility, which allows the council to track what happens to the information when the secure USB drive is unplugged from the main network.

"If, for example, a user copies a document from the USB device to their home computer," said Coles, "the event will be logged, and when they reconnect the device to the corporate network, all of the logs will be updated."

The Safend system is also capable of even more granular content control -- for instance, preventing the copying of specific files -- but Caerphilly has chosen so far not to implement that feature.

Code of Connection (CoCo) compliance too
Apart from bringing greater control over the use of memory sticks, the Safend project has had an extra spin-off benefit for Caerphilly Council. Like every other local council in the U.K., it needs to meet new security standards to connect to the Government Connect Secure Extranet (GCSx). This is a secure private wide area network (WAN), which will enable local authorities, central government, police and health authorities to communicate without using the public Internet.

The list of security requirements that local authorities need to meet is called the Code of Connection (CoCo). It consists of 92 detailed security questions, some of which deal with endpoint protection and encryption. With the Safend product covering the protection of data held on USB sticks, laptop encryption enforced by Safeboot, and the ability to provide audit trails of all file usage, Coles said he was able to provide confident answers to many of the CoCo compliance questions.

Having already gone through BS 7799 accreditation was another great advantage. "A lot of the questions in CoCo compliance are based on the ISO 27001 security standard, and so having been compliant with that, we could answer some of the questions quite easily," he said.

Nevertheless, he said CoCo compliance was not easy, and involved input from all sections of the 90-strong IT department. "Some questions had to be answered by people with a mix of skills -- the network guys, the server team, the installation guys," he said. "To be honest, we found it difficult to complete. I must have sent it back about five or six times to the project manager at Government Connect before we actually got accredited."

Last October they were accredited -- the first in Wales -- and were chosen to be one of eight councils to take part in a pilot involving the Benefits systems. The deadline for all other councils to comply is this September.

Read more on Endpoint security