Force USB encryption Windows and Mac
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
This is my initial reaction too.. but I'm trying to turn over a new leaf, and say 'yes.' which in this case starts with researching possible solutions.
Why not ask them what their other clients are using. I bet that you are the first and they are trying to trick you into having a solution that doesn't exist.
I'm waiting for just that reply already.
Either they won't have one, I guarantee, or they will come back with something like Dustin's example of human-based controls.
Human based controls aren't technical.
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense.
-
@Kelly said in Force USB encryption Windows and Mac:
Do you have a business need to allow USB drives to be plugged in? It seems simplest to just deny them entirely. There are so many ways of exchanging information that allowing USB drives is just a security vulnerability without much return.
For sure, I was wondering that, too. I bet the doctors demand it.
-
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
You need to update your policy that any device that isnt encrypted cannot be used on company provided devices without first having an encrypted volume created on it this would fix your policy issue and address the concern of non-encrypted volumes being used on company devices
that is not a technical safeguard.. that's only a policy based one.. and clearly not good enough according to what the request has stated.
If that were true, imagine how many HR policies don't have technical safeguards. ALmost all, I would assume.
Of course, many can't have technical safeguards, and they aren't asking about those.. they are asking about this very specific one.
But - we might as well table this until I get a reply from them.
But this one is just like those other ones... one where a technical safeguard is impractical bordering on impossible.
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving i
That's not the same as the drive being encrypted and from a wording standpoint, would not satisfy your policy nor the insurance question. But is a good security solution. But if you allow that, you violate your own policy and that could cause a lot of problems.
LOL - our policy can change on a dime - this is for a 10 person company.. they will change it to whatever I tell them, for the most part.
Though, as you said - it still might not be good enough for the insurance company.
-
@Dashrender said in Force USB encryption Windows and Mac:
Human based controls aren't technical.
That's not necessarily true. Some are and some are not. It depends if it is a mechanism or just a policy.
-
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
-
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
The Sofos solution seems nice - it simply encrypts all files to the user's key by default, regardless of where the user is saving i
That's not the same as the drive being encrypted and from a wording standpoint, would not satisfy your policy nor the insurance question. But is a good security solution. But if you allow that, you violate your own policy and that could cause a lot of problems.
LOL - our policy can change on a dime - this is for a 10 person company.. they will change it to whatever I tell them, for the most part.
Though, as you said - it still might not be good enough for the insurance company.
I think that the insurance is going off of the policy description (e.g. your description of what the policy is, not the policy's description of the requirement.)
So I almost guarantee that if you alter the policy to say that files stored on a drive must be encrypted, instead of the drive itself being encrypted, then presented the Sophos option, that everyone would be happy (especially Sophos.)
-
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
-
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive. only a technical solution prevents the computer from accessing a non authorized drive.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive. only a technical solution prevents the computer from accessing a non authorized drive.
A policy is enforceable through any solution you implement. IE Whenever we purchase a USB device, it's volume is encrypted before it's used. Anyone who is found to be using a non-company usb storage or unencrytped storage device is reprimanded.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@scottalanmiller said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
And while we haven't given them our current policy - i.e. so they couldn't have read it and said - it's not good enough... we just told them, we have a company policy... so if company policy was good enough - I would expect them to say - hey, before we sign off on that company policy, we need to see what it says.. then I would agree that going Dustin's route would make sense
Right, and my point is that you need a mechanism, not just a policy, to make them happy. But I think that that could be done.
no mechanism is going to keep crazy users from just picking up random USB sticks and plugging them.
So if you know this, then why did you say I was delusional for thinking that if you updated and enforced your policy would you be good?
because a policy is not a technical solution.. a policy doesn't stop the crazy person from plugging a drive. only a technical solution prevents the computer from accessing a non authorized drive.
A policy is enforceable through any solution you implement. IE Whenever we purchase a USB device, it's volume is encrypted before it's used. Anyone who is found to be using a non-company usb storage or unencrytped storage device is reprimanded.
Did you see what you just wrote? WHEN I PURCHASE... what about when crazy person purchases? and brings from home?
Sure I can fire them... AFTER they plug the drive into our computers - but that's to late.
-
@Dashrender said in Force USB encryption Windows and Mac:
what about when crazy person purchases? and brings from home?
YOU TERMINATE THEM. That's HR's policy to follow, not your problem to fix FFS.
-
@Dashrender said in Force USB encryption Windows and Mac:
Sure I can fire them... AFTER they plug the drive into our computers - but that's to late.
No it's not, because they've broken the policy not once but twice.
By using a non-company storage device and two, a non-encrypted one at that!
-
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
-
Just like cops don't actually Enforce the law, they simply report law breakers to the Court, and a Jury and Judge then validate the claim and punish the law breaker.
You're the cop, you see and report, you don't enforce.
Arresting someone doesn't mean you're enforcing the law, it means you're taking someone in to be judged by those who's job it is to enforce the law and pass punishment.
-
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
-
I also would think they want your devices in the office to be Encrypted at a minimum as well.
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
-
@Dashrender said in Force USB encryption Windows and Mac:
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender you are really starting to sound like @WrCombs when he's asking what he should do about policy.
It's not your problem to enforce the policy if people circumvent it, it's your job to simply follow and report violations and maybe even draft a workable policy that HR can enforce.
Edited in bold.
You're assuming that a policy is simply good enough for the insurance company... if they come back with Product X satisfies the technical requirements, then clearly, policy alone does not solve the problem to their requirements.
So I am thinking they have a technical requirement hence why you are asking right?
