ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Force USB encryption Windows and Mac

    Scheduled Pinned Locked Moved IT Discussion
    112 Posts 10 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in Force USB encryption Windows and Mac:

      @DustinB3403 said in Force USB encryption Windows and Mac:

      You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

      that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

      If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.

      DashrenderD 1 Reply Last reply Reply Quote 1
      • KellyK
        Kelly
        last edited by

        Do you have a business need to allow USB drives to be plugged in? It seems simplest to just deny them entirely. There are so many ways of exchanging information that allowing USB drives is just a security vulnerability without much return.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said in Force USB encryption Windows and Mac:

          Now having an online chat with Sophos... and he's edging me toward - you only need encrypted USB?

          which of course leads me to - does the insurance company expect me to be running full disk encryption everywhere else ( EVERYWHERE else?) but simply not asking me about it.. seems like a huge gap...

          I hesitate asking for fear that they will suddenly require it, while right not I consider it NOT required.

          They are responding to your policy statement, not claiming a need. They are stating that "because you have a policy" that "you should enforce it". Remove the policy, remove the problem.

          1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said in Force USB encryption Windows and Mac:

            @Dashrender said in Force USB encryption Windows and Mac:

            @DustinB3403 said in Force USB encryption Windows and Mac:

            You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

            that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

            If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.

            Of course, many can't have technical safeguards, and they aren't asking about those.. they are asking about this very specific one.

            But - we might as well table this until I get a reply from them.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @DustinB3403
              last edited by

              @DustinB3403 said in Force USB encryption Windows and Mac:

              If you own the devices, just start encrypting them when you first get them in office, create your policy on that process.

              I agree. Encryption is up to IT, not the end user. Company owned is up to the end user. They won't ask for a technical safeguard that the company owns the USB sticks. So problem solved.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in Force USB encryption Windows and Mac:

                @DustinB3403 said in Force USB encryption Windows and Mac:

                @JaredBusch said in Force USB encryption Windows and Mac:

                Bit Locker can do it natively.

                So is there a GPO (local or AD whatever) that requires bitllocker on USB drives?

                That's Windows only and wouldn't work for the second half of the question.

                yep.

                Though, I suppose if required, I could have two solutions.

                Not really, not without an additional, very difficult problem of ensuring the sticks don't cross contaminate.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Force USB encryption Windows and Mac:

                  @DustinB3403 said in Force USB encryption Windows and Mac:

                  The entire question originated from your lack of a control plan to ensure that USB storage is encrypted. Had you simply stated in your policy that USB storage is encrypted at the time of purchase and device usage is strictly controlled to trusted people you wouldn't be in this predicament of attempting to find some magical good ransomware that can tell when something isn't encrypted, and kindly asks you if you wish to encrypt the USB storage. . .

                  and you are under some delusion that people live to only follow the rules and would never just go to the store (or hell, pickup a USB stick in the parking lot) and just simply plug it into their computer.

                  Why do you feel that way? He said nothing of the sort.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Force USB encryption Windows and Mac:

                    @scottalanmiller said in Force USB encryption Windows and Mac:

                    @Dashrender said in Force USB encryption Windows and Mac:

                    This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

                    Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

                    I'm waiting for just that reply already.

                    Either they won't have one, I guarantee, or they will come back with something like Dustin's example of human-based controls.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @DustinB3403
                      last edited by

                      @DustinB3403 said in Force USB encryption Windows and Mac:

                      I'm not under any delusion, I realize this can and does happen all of the time,

                      Because ALL solutions have work arounds. No "controls" are perfect. Having a control never implies that no workaround exists. In fact, most controls that companies use actually do quite little.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Force USB encryption Windows and Mac:

                        The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving i

                        That's not the same as the drive being encrypted and from a wording standpoint, would not satisfy your policy nor the insurance question. But is a good security solution. But if you allow that, you violate your own policy and that could cause a lot of problems.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in Force USB encryption Windows and Mac:

                          @Dashrender said in Force USB encryption Windows and Mac:

                          @scottalanmiller said in Force USB encryption Windows and Mac:

                          @Dashrender said in Force USB encryption Windows and Mac:

                          This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.

                          Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.

                          I'm waiting for just that reply already.

                          Either they won't have one, I guarantee, or they will come back with something like Dustin's example of human-based controls.

                          Human based controls aren't technical.

                          And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense.

                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Kelly
                            last edited by

                            @Kelly said in Force USB encryption Windows and Mac:

                            Do you have a business need to allow USB drives to be plugged in? It seems simplest to just deny them entirely. There are so many ways of exchanging information that allowing USB drives is just a security vulnerability without much return.

                            For sure, I was wondering that, too. I bet the doctors demand it.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in Force USB encryption Windows and Mac:

                              @scottalanmiller said in Force USB encryption Windows and Mac:

                              @Dashrender said in Force USB encryption Windows and Mac:

                              @DustinB3403 said in Force USB encryption Windows and Mac:

                              You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices

                              that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.

                              If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.

                              Of course, many can't have technical safeguards, and they aren't asking about those.. they are asking about this very specific one.

                              But - we might as well table this until I get a reply from them.

                              But this one is just like those other ones... one where a technical safeguard is impractical bordering on impossible.

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in Force USB encryption Windows and Mac:

                                @Dashrender said in Force USB encryption Windows and Mac:

                                The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving i

                                That's not the same as the drive being encrypted and from a wording standpoint, would not satisfy your policy nor the insurance question. But is a good security solution. But if you allow that, you violate your own policy and that could cause a lot of problems.

                                LOL - our policy can change on a dime - this is for a 10 person company.. they will change it to whatever I tell them, for the most part.

                                Though, as you said - it still might not be good enough for the insurance company.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Force USB encryption Windows and Mac:

                                  Human based controls aren't technical.

                                  That's not necessarily true. Some are and some are not. It depends if it is a mechanism or just a policy.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said in Force USB encryption Windows and Mac:

                                    And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense

                                    Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in Force USB encryption Windows and Mac:

                                      @scottalanmiller said in Force USB encryption Windows and Mac:

                                      @Dashrender said in Force USB encryption Windows and Mac:

                                      The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving i

                                      That's not the same as the drive being encrypted and from a wording standpoint, would not satisfy your policy nor the insurance question. But is a good security solution. But if you allow that, you violate your own policy and that could cause a lot of problems.

                                      LOL - our policy can change on a dime - this is for a 10 person company.. they will change it to whatever I tell them, for the most part.

                                      Though, as you said - it still might not be good enough for the insurance company.

                                      I think that the insurance is going off of the policy description (e.g. your description of what the policy is, not the policy's description of the requirement.)

                                      So I almost guarantee that if you alter the policy to say that files stored on a drive must be encrypted, instead of the drive itself being encrypted, then presented the Sophos option, that everyone would be happy (especially Sophos.)

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Force USB encryption Windows and Mac:

                                        @Dashrender said in Force USB encryption Windows and Mac:

                                        And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense

                                        Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.

                                        no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.

                                        DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • DustinB3403D
                                          DustinB3403 @Dashrender
                                          last edited by

                                          @Dashrender said in Force USB encryption Windows and Mac:

                                          @scottalanmiller said in Force USB encryption Windows and Mac:

                                          @Dashrender said in Force USB encryption Windows and Mac:

                                          And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense

                                          Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.

                                          no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.

                                          So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?

                                          DashrenderD 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @DustinB3403
                                            last edited by

                                            @DustinB3403 said in Force USB encryption Windows and Mac:

                                            @Dashrender said in Force USB encryption Windows and Mac:

                                            @scottalanmiller said in Force USB encryption Windows and Mac:

                                            @Dashrender said in Force USB encryption Windows and Mac:

                                            And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense

                                            Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.

                                            no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.

                                            So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?

                                            because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive. only a technical solution prevents the computer from accessing a non authorized drive.

                                            DustinB3403D scottalanmillerS 3 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 3 / 6
                                            • First post
                                              Last post