[unisog] Policy on "removeable storage devices"

Russell Fulton r.fulton at auckland.ac.nz
Fri Apr 29 04:35:27 GMT 2005


On Thu, 2005-04-28 at 23:37 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 29 Apr 2005 12:29:42 +1200, Russell Fulton said:
> 
> > We are particularly interested to hear if anyone has experience with
> > data encryption for such devices -- either built in to the device or via
> > software on the 'host' machine.
> 
> Just a quick reminder here - you really need to figure out what your threat
> model is.  Does the crypto merely have to stop a casual attacker who swiped the
> laptop off a luggage cart and fenced it for some money, or does it have to stop
> a determined attacker who swiped that *particular* hardware because they knew
> the data they wanted was on it?

Our threat model includes the latter scenario at least in some
applications.  We have had cases where academics have 'lost' pen drives
while preparing exam papers.  We have also had cases where academic have
lent pen drives to students to transfer some files and then realised
that their exam drafts were on the drive...

Policy is likely to be stated in terms like "documents with a
classification of Confidential or above must not be stored on any
removable storage device in an unencrypted form".  Where encryption
means real(tm) encryption (at least triple rot13 ;)

Russell 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050429/4c25a4d7/smime.bin


More information about the unisog mailing list