How to Secure an External Hard Drive
For one to three users who are willing to schedule time accessing the data, a stand-alone computer attached to an encrypted external hard drive with an emphasis placed on physical security of the computer and controlling access to the data can be one of the most secure computing platforms for your sensitive data. An encrypted external hard drive is a modified version of the stand-alone computer, in effect keeping your sensitive data off the Internet or a LAN, even though you may be using your main computer that is connected to the internet.
The emphasis for securing the data on an encrypted external hard drive is placed on removing the computer from the network while the encrypted external hard drive is in use, controlling access to the data directory, and physically securing the hard drive in a locked cabinet when not in use.
USB "thumb/jump" drives are NOT acceptable devices for this option. USB external hard drives, Firewire external hard drives, or EIDE/SAS hard drives in a Startech-type of removable device with an external power supply and at least 6" in size are acceptable options.
To make this scenario work, you need to remember and do only two things:
- Never have the network cable and encrypted external hard drive connected to the computer at the same time.
- Always secure the encrypted external hard drive in a locked cabinet, drawer, or safe when not in use.
Prerequisites for placing your sensitive data on an encrypted external hard drive:
- You need a private, lockable office, not a student computer lab.
- You need your statistical analysis applications installed on your local hard drive, not on a network server.
- You may need a new local userid on your PC, since you may not be able to use your Domain Account, unless you are able to login without an internet connection (e.g., credentials are cached).
- You must use an operating system that is currently being patched and supported by the vendor (e.g., Windows 7, 8.1, 10, Mac OS X, or Linux). You may not use Windows 95, 98, NT4, or XP. If you are unsure whether or not your operating system is currently supported, do an internet search on your operating system with the word "lifecycle." This should give you the vendor's timeline for supporting the operating system. For example, searching "Windows Lifecycle" shows the Microsoft page detailing the years during which their operating systems will be supported.
- You must not move the encrypted external hard drive from the location specified in your security plan (e.g., cannot move between office and home).
Follow these steps to prepare your computer for use with your sensitive data on an encrypted external hard drive:
- Power up the computer, which resides in a locked room accessible by authorized personnel only.
- Disconnect the network cable.
- Connect the external hard drive.
- Login using the local userid created for accessing your sensitive data.
- Create separate directories on the external hard drive for your sensitive data and your program files.
- Either encrypt the entire external hard drive with Bitlocker, PGP Whole Disk Encryption, Veracrypt or another whole disk encryption program, or encrypt the sensitive data directory on the external hard drive using Windows' Encrypting File System or Veracrypt or similar encryption program. (Make sure you do not encrypt your program and documentation directories unless you are using Whole Disk Encryption.)
- Configure your analysis software to point temporary work files to the encrypted sensitive data directory on the external hard drive.
- Password protect your screen saver and set it to activate after 10-15 minutes of inactivity (if using a password of fewer than 16 characters, set your password-protected screen saver to activate after 3 minutes of keyboard or mouse inactivity). Since the screen saver will not activate for 3-15 minutes, it is recommended that you lock your screen (Windows = Windows Key + L) whenever you walk away from your computer, even for a few minutes.
- Install a secure erasure program. This program should be run monthly and after the secure data has been removed from the computer at the end of the contract period. (Eraser works well.)
Follow these steps each time you use your sensitive data external hard drive:
- Power up the computer.
- Disconnect the network cable. (Creating a profile that disables the network interface card is an acceptable substitute for disconnecting the network cable.)
- Connect the encrypted external hard drive.
- Login using your local userid.
- Do not leave your computer and encrypted external hard drive unattended.
- You should make backup copies of the program and documentation directories after each time you make changes. Do not copy or move your sensitive data out of the secured directory on the encrypted external hard drive for any reason.
Follow these steps when you are not using the sensitive data external hard drive:
- Power down the computer.
- Disconnect the external hard drive.
- Lock the external hard drive in a secure place (e.g., a file cabinet, drawer, or safe).
- Connect the network cable.