A few hours ago I was pondering what to write about. But that problem was solved when a friend asked if I’d written about the fantastically new and secure USB stick by Iron Key. The truth is that I’d forgotten about it so could only muster up a few Hugh Grant-esque “gosh” and “jollys”. Of course I’d never admit to have forgotten about it. That would be like forgetting someone’s name, or mistaking their baby boy for a baby girl.
I’m not exactly sure if this forgetfulness has anything to do with my inherit laziness. It’s as if I were to enter a room with more than 3 people my brain makes a slow whirring sound and switches off. I mean there’s no chance that I’m going to remember the names of everyone whom I’m introduced to, so I don’t even make the effort.
So why have I forgotten about IronKey’s new S200 device. The first and only USB flash drive to meet the rigorous government security requirements of FIPS 140-2, Security Level 3 with hardware based AES 256-bit encryption in CBC mode.
*whirrrrrrr* brain powering down.
In many ways, this truly is a remarkable device. The security technology is good and doesn’t ruin the user experience.
But why does this not excite me.
Well, you see, do you really want your end users to have access to such sensitive data? Additionally, would you want your users to have the ability to copy the data onto removable media?
OK, so lets assume you’re one of those free man-love organisations who allow your users carte-blanche access to all your data. It’s surely a lot cheaper to have a desktop based encryption mechanism where you encrypt the files before you put them onto the USB or CD or VHS tape. That way, you’re not reliant on one format and the files are secured before they even leave the PC.
However, in order to achieve this you have to trust that your users will fire up their encryption programme and actually use it to encrypt the files in the first place. No doubt relying on them to device a strong passphrase which meets your guidelines. Then ensure that once its done properly, they don’t stick a post-it on the USB with the passphrase written onto it.
*whirrrrrrrrrr*
#1 by yibble on July 27, 2009 - 3:33 pm
But is it platform independent? That’s what we really need, something that has a nice LUKS compatible interface for the Windows users, yet is completely compatible with LUKS supporting GNU/Linux distros, like Fedora.
#2 by Spencer on July 27, 2009 - 7:27 pm
Have you ever tried to prevent your users from removing data from a given area? Without a strip search this is impossible. “Concept of operations” fails in this regard. So how do you fix the problem? Have you ever tried to enable your users to transfer data between physically separate networks? Based on this blog entry I doubt it. You refer to file-based encryption. Talk about a portability nightmare. Most of those wrap the files in Windows-only binaries. Hardly friendly IMO.
“However, in order to achieve this you have to trust that your users will fire up their encryption programme and actually use it to encrypt the files in the first place.”
This is not software-based file encryption, this is device-level hardware encryption. The password complexity requirements can be easily adjusted from organization to organization. Once the device is unlocked it is mounted and used in the exact same way as any other thumb drive.
As for the first commenter, yibble: yes it does include cross-platform binaries (Windows, OSX, Linux) for unlocking the device. Only problem I’ve seen is that the Linux binary is statically linked and requires a /lib directory not not a /lib64. /lib is present is most 64-bit environments, but surprisingly missing in F11. It is there and ironkey works on RHEL5-64 BTW.
#3 by Tom on July 27, 2009 - 10:32 pm
@spencer “Have you ever tried to prevent your users from removing data from a given area? Without a strip search this is impossible.”
HAHA HAHA HA
And an encrypted USB device solves this problem? Yes, they will clearly not print any information or put anything onto a CD and won’t even think of emailing it out of the organisation */tongue cheek*
What did Iron Key’s marketing department put in your drink?
#4 by Ulreich on July 29, 2009 - 2:21 am
I think the Cynic’s next blog post should be: “Enabling your users to transfer data between physically separate networks”. I’m sure that would keep Spencer satisfied!