DLP, a Must for Any Removable Media Security Program

When considering the use of removable media within a secure area, we are often concerned with preventing malware or threats from entering our site. We rarely think about what happens when those devices, and at times, our data leave the site. Those individuals who take such good care of our operations and equipment do eventually leave work and continue their day. Along the way, they often collect files, logs, and content from the site. Recently, we saw what can happen when sensitive data leaves a secure site and, with it, control of that data. An individual in Japan left work and went to a bar for a few beverages at the end of the workday. Over the course of the evening, they lost a USB stick that contained the personal details of nearly half a million people. The personal details included the names, birth dates, addresses, tax information, bank account numbers, and even data on families receiving social security.

Scary incidents like this show the need for us to reevaluate our security policies and see what we can do to prevent such incidents from happening at our own sites. What if we can support our business needs by bringing in critical patches and updates without the risks that removable media can bring? What if we can safely bring files into a protected area with no risk of the data going back out? This is possible with the right technology and policies in place, and OPSWAT offers many options. 

MetaDefender Kiosk to Vault (Enhanced Data Loss Prevention)

Vendors and contractors often need to extract files from a facility for debugging and analysis purposes. In this use case, the data flow can go to and from MetaDefender Vault. Outgoing data will start at the MetaDefender Vault and flow to MetaDefender Kiosk where the authenticated and authorized user can extract the files using approved media. Data Security and Data Privacy rules are enforced through pre-defined data redaction rules assigned to the relevant workflow.

These data redaction and workflow rules are designed to enhance GDPR, NIST, HIPAA, HITRUST, ISO/IEC, and ISA/IEC data security and data privacy compliance. All data transfers and workflow configuration changes are logged for detailed audit reporting. A strong “closed-loop” option for MetaDefender Kiosk provides for the security of Data at Rest and Data in Transit. In this use case, the Kiosk provides workflow control where files are delivered unidirectionally using NetWall USG to MetaDefender Vault, hosted on the target network. MetaDefender Vault provides tiered supervisory authentication, authorization, approval, and audit reporting when transferring, storing, and retrieving files into and out of protected network segments.

Network A to B is performed by one set of NetWalls for unidirectional communication. A second set of NetWalls will provide the transfer back to the Kiosk with enforcement for data loss prevention. Isolation between Network A and B is preserved by NetWall’s non-routable protocol break between source and destination servers.

All files in MetaDefender Vault are AES encryption secured, monitored, and checked for malware using 30+ anti-malware engines, then sanitized, and quarantined based on configuration and workflow policies.

Kiosk Scan and Copy to Approved Internal Site USB 

Another way to prevent sensitive data from leaving your site is to use a copy function to a trusted and internal-only USB. In doing so, the visitor can insert their USB containing the files they need to use on-site. The files are then scanned and copied to a “site USB.” This device will never leave the site. The visitor can use this trusted device while they perform their tasks, such as securely updating OT assets, and then leave it with their site contact before heading home for the day. The original USB device they brought remains unchanged and never enters the protected area within the site.

Now more than ever, with the evolution of cyber threats and more complete cybersecurity technology made available, we need to continue to reevaluate our cybersecurity program and policies with modern technology to better defend against new threat gaps that lead to the loss of sensitive data.