Case Study: USB flash drive security risk removed

Barclays Bank in the UK has recently undertaken an overhaul of the hardware in its high street branches. The Application Development Infrastructure Renewal (ADIR) programme includes transferring old branch terminals onto a PC platform to make them easy for Barclays’ staff to use. But the new platforms have to be secure.

Barclays uses a mixture of Windows XP, Windows 2000 and Windows 2003 across it’s PC estate. The bank needed to ensure that certain devices, such as USB drives, were not freely usable, therefore removing the risk of intruders tampering with PC’s via the USB ports.

The main aim was to create a secure environment within the branch network, and in that to secure against the unauthorised use of USB devices, as well as serial ports and floppy drives. All unauthorised methods of infiltrating the network had to be locked down.

A a purely Active Directory-based solution would have struggled to do this in a cost effective and flexible way.

After reviewing a number of products Barclays chose SecureWave’s Sanctuary Device Control which enabled the complete lock-down of USB ports. It prevented all unauthorised connection of USB devices to the network, with the added flexibility of allowing individual permissions where appropriate – enabling IT managers to lock and unlock particular USB drives as necessary as priorities and privileges of certain staff changed. Therefore, the product provided secure management of bank-wide USB device usage, while also offering more granular resource management where necessary.

Barclays asked QinetiQ, an independent security company, to carry out extensive testing of the SecureWave product before it was deployed. QinetiQ okay'd SecureWave use. Barclays risk team agreed and the product became the standard security solution for the ADIR implementation.

Prior to roll out to the branch network Sanctuary Device Control was put through a pilot implementation in a ‘branch replication’ environment, which mirrored the actual infrastructure in which it would operate.

It passed this final check and was rolled out to all 1,600 branches, meaning approximately 16,000 workstations were protected with Sanctuary Device Control.

“One of the main benefits in deploying Sanctuary Device Control is its ‘white-list’ feature, which ensures that no device, unless authorised, can ever be used, no matter how it gets plugged in”, said Paul Douglas, ADIR Desktop Build Team Manager at Barclays. “Flash memory USB devices represent a significant risk with the potential to steal company data or introduce “malware”, which could render the computer unusable and quickly infect other PCs on the same network. Device Control is a really strong, easy to use product which is why Barclays chose it”.

The introduction of Sanctuary Device Control has significantly increased the security and reliability of Barclays network infrastructure. “In the security field we can’t really talk in terms of ROI but suffice to say, you cannot put a price on the credibility of the bank and so we have to ensure that none of the branch PCs can be penetrated”, said Douglas.