Force USB encryption Windows and Mac
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
I'm wondering if there is some type of MDM/end user device management (something like Intune).
How would it encrypt the drive? That would mean it would realistically ransomware people's devices if they mistakenly plug a personal USB into a work computer.
I think the only option is blocking unencrypted drives. But it wouldn't be encrypted versus not, it would be encrypted by a certain tool or not. That's about the only possible solution.
So the issue here is with the Apple computers, that unless you are granting the user administrative rights, they wouldn't be able to mount the drive, and thus the encrypted data would remain encrypted.
So how would the computer (windows or otherwise) know "what tool was used". This is a schrodinger's cat scenario. You can't know that the data is encrypted, without first opening it up and checking. Which if the computer can just open everything up than it knows how to decrypt every disk and volume that may come in contact with said system.
Which essentially means a backdoor so your users can't go dark.
-
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
Sure it is, all kinds of mechanisms can prevent that. Nothing prevents anything 100%, but lots of things prevent some. And that's all any requirement is asking for.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive.
Right, changing the policy is to remove the need for a non-viable technical solution so that the policy you write has a viable technical solution.
-
@Dashrender said in Force USB encryption Windows and Mac:
only a technical solution prevents the computer from accessing a non authorized drive.
No, nothing completely prevents it. Technical solutions and policies both partially prevent in, in different ways.
-
@Dashrender said in Force USB encryption Windows and Mac:
Sure I can fire them... AFTER they plug the drive into our computers - but that's to late.
But not related to the problem. So you should not mention this because it's not relevant. This is an additional policy. Fine to have, but not part of the blocking / preventing policy, nor a part of the technical preventative.
-
@Dashrender said in Force USB encryption Windows and Mac:
Did you see what you just wrote? WHEN I PURCHASE... what about when crazy person purchases? and brings from home?
You are doing "what ifs". Remember, we've covered and you agreed, that there is a workaround to every possible technical measure. So that you can find a way to work around any specific one is not relevant. Technical measures are not full proof, and don't need to be.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
Just like cops don't actually Enforce the law, they simply report law breakers to the Court, and a Jury and Judge then validate the claim and punish the law breaker.
You're the cop, you see and report, you don't enforce.
Arresting someone doesn't mean you're enforcing the law, it means you're taking someone in to be judged by those who's job it is to enforce the law and pass punishment.
In this case I'm being asked to install the vault door on the vault - i.e. the technical implementation. Not simply the security guard.
Sure, but you can blast through a vault door. It's not perfect. It's not even close. It just discourages the behaviour.
Same with other things you can do like providing the USB sticks, confiscating rogue sticks when found, etc.
-
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
I also would think they want your devices in the office to be Encrypted at a minimum as well.
You know - you would think, but they haven't breathed a word on that...
You would not think unless there was a policy about it mentioned to them. If there wasn't, you'd not expect it. Remember, none of this is about encryption, it is all about enforcement of policy. That this case is encryption is a red herring.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
The cops don't enforce, they ticket people, as a means of getting that person in front of a judge who then validates and punishes.
Judges are enforcement, cops simply act as witnesses to an act.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
The cops don't enforce, they ticket people, as a means of getting that person in front of a judge who then validates and punishes.
Judges are enforcement, cops simply act as witnesses to an act.
No, they arrest. They physically remove people from vehicles. I've had friends had it done to them. They put rumble strips on the road, spikes, all kinds of enforcement items.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
Judges are enforcement, cops simply act as witnesses to an act.
Judges are punishment, not enforcement.
-
that's why "law enforcement" is a reference to police, not judges or juries.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
Almost. But in this case the insurance company is asking him to enforce as well. But enforce doesn't mean 100%. Cops don't enforce the speed limit 100%, but that doesn't mean that they don't enforce it.
The cops don't enforce, they ticket people, as a means of getting that person in front of a judge who then validates and punishes.
Judges are enforcement, cops simply act as witnesses to an act.
No, they arrest. They physically remove people from vehicles. I've had friends had it done to them. They put rumble strips on the road, spikes, all kinds of enforcement items.
Items to get the person in front of a judge and jury who actually punishes the person.
You can be detained for a while by a cop, that isn't punishment.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
that's why "law enforcement" is a reference to police, not judges or juries.
Law enforcement generally, yes but the practical explanation is that the police are there to bring people they suspect of a crime to justice to be judged.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
Items to get the person in front of a judge and jury who actually punishes the person.
No amount of punishment is enforcement. No matter how severe. The law is already broken.
Enforcement only can exist if before the act happens or is completed.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
You can be detained for a while by a cop, that isn't punishment.
Correct. Detainment is stopping whatever from completing, hence enforcement. Anything with the term "punishment" in it can't be enforcement.
It is enforcement, not punishment, of concern to the insurnace company in this case.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
that's why "law enforcement" is a reference to police, not judges or juries.
Law enforcement generally, yes but the practical explanation is that the police are there to bring people they suspect of a crime to justice to be judged.
Correct. Cops enforce, judges punish. That's the universal explanation. One is to stop a transaction, one is to exact revenge.
-
This really doesn't seem hard. The insurance agency seems to just want some mechanisms to make breaking policy harder. From GPOs, to glue in the USB ports, to confiscating rogue devices.
The computer itself can't do the checking as Dustin pointed out, it has to mount and use the drive before it can know, so the computer has to be "after the fact". The computer can complain about what you've done, but it can't enforce. it's like a judge, not like a cop.
Any "cop enforcement" mechanism has to be before the USB goes into the computer or at least before the port is enabled.
-
@scottalanmiller that I can agree with.
This is all pre-device connection. There is no realistic way to prevent breaking the policy. Because users...