Securing data is not genetic engineering...
... sorry, rocket science is too simple now.
Here are a number of measures which SHOULD be made compulsary wherever government held information is used.
- Put a robust RFID chip as an integral part of each official USB Flash drive.
- Put Shoplifter type security (or even make it prevent operation of the turnstyles) on all exits in secure facilities.
- Do not use generic RFID tags, track specific tags (to stop someone identifying a secure USB device as the holder walks around a shoping center).
- Have Official USB flash drives tracked, and holders made responsible for their loss.
- Do not allow official flash drives to be held for extended periods.
- Have a specific process to allow tracked USB flash drives to be removed from secure sites.
- Change the USB ID on the official drives so that they do NOT appear as a generic storage device, so it becomes more difficult to read on ordinary PCs.
- Put the required driver on all systems required to use the official stick, and have it use automatic strong encryption as the data is accessed.
- Don't allow the specific driver to be installed on non-official PCs.
- Regularly rotate the keys on the specific driver and flash drives (this can be done with the flash drives by making holders regularly check the drives in).
- Clean all data from checked in flash drives when they are checked in to prevent people from using them as a backup mechanism.
- Ban the use of personal USB flash drives (or the use of phones or watches, or whatever else provides this type of function) from secure sites as part of policy.
- Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs).
- Enforce the already existing GSI Security requirements for all government held data.
I'm not saying that this will make our data totally secure, but it would be a step in the right direction. It would prevent casual examination of misplaced devices. It would not stop a concerted attempt to steal data, but what would.
Very little of this is particularly complex or expensive, as most of the barrier security and procedures already exist in secure government locations.
BTW. This counts as Prior Art in the unkilely event that I am the first person to put all of these ideas together.