Keep it in your pants: memory-based storage device security

Jack Gold has a fairly brief article on data security vs. flash memory storage here

While the article points out a valid issue, the problem is really not a new one - only the media has changed. portable storage from the floppy disk on has *always carried the risk of being lost or ending up in the wrong hands. the trick here is making users aware of the risks involved in data portability and training them to find a solution that is effective for them in both keeping track of their portable media and in an appropriate means of securing the contents of that media.

Gold points out that there are two major issues surrounding the devices: lack of user awareness of the risks that these devices represent, and their inherent insecure nature.

I disagree with Mr. Gold in a limited way on that- to my thinking the problem is not the inherent properties of the media, but rather solely that the users of said media don't take steps to ensure that their media is secure, and that they aren't provided the training to do so. The human factor is the breaking point, not an inherent flaw in the device.

Training users of portable media to keep it secure really requires a course in basic data security- a general survey course that covers the concept, and teaches users about the basic tools for data security available to them. This is a course that should frankly be a part of the orientation process for a new employee of an institution, and something that should be periodically updated among other existing employees.

It's been said time and again that users hate to deal with all things security related- but it's as much an expression of neo-phobia as it is of hassle-phobia. This applies particularly to folks who don't recognize that they are dealing with sensitive data. What users need to be taught is that any useful data is also data that is subject to misuse.

Data security is currently a fairly easy thing to manage, particularly with the advent of background-running filesystem encryption and transparent email encryption. A couple of hours is all it takes to master the basic principles of these tools, and then to later apply them to things like removable storage - and indeed, removable storage can become a critical part of a public-key based data security system, with a few precautionary steps taken along the way.

Let's look at real-life example for minute:

I keep a lot of important data on my thumb drive, which I've named "Albatross" because I keep it on a chain around my neck most of the time, along with a couple other items that it's important for me to keep track of. If I don't have the the Albatross on by the time I leave home arrive at work, I know it- I can't get into my office, because my key-card is on the same chain.

If someone were to find my flash-drive, they'd find two files on it: a small text file with my contact info, and a disk image file. That image file contains all of the other files on it, and is protected with a strong password. In order to access any of the useful data on the Albatross, you need to first be on a computer that knows what to do with a *.dmg file, and second know the pass-phrase, which is not used anywhere else.

That image contains a copy of some of my most sensitive data, including my PGP keypairs, some work related stuff, some of my financial information and so forth, that are in some cases, additionally encrypted. It's mostly stuff that gets used everyday, or nearly so, and the rest is there just in case I need it. But it's nearly all stuff that I would NEVER put on a flash-drive that didn't have some degree of protection on it, specifically because I wouldn't want it to be easily accessible to anyone but me.

So I have to enter an occasional extra passphrase or two and maybe wait an extra second here and there. To me, the trade off is worth it. I'm looking at a maximum of maybe 5 minutes per day spent entering pass-phrases, on an exceptional day, if I'm moving around a lot between locations or computers. The benefit is that when I lose the damn flash drive, I'll only be out $50.00 As opposed to out of a purchase history, a credit rating and an identity, for example.

And if that's the trade off for giving up 5 minutes a day to the trials of entering a password, I'll take it.