This is a guest post by Sean McGrath senior reporter at Microscope.
Striking a balance between mobility
and security is something of a Holy Grail in the enterprise world. How do
you enable employees to work from anywhere, while at the same time, ensuring
that your mobile estate remains secure?
Secure mobile storage provider IronKey was founded with a grant from the Department
of Homeland security in 2005. IronKey has always had a straightforward mandate
- to create the most secure storage solutions possible.
As part of its mission, it pioneered the first
cloud based management platform for USB devices, the first USB drives with
remote self-destruct and - the topic of today's review - the first fully secure
The purpose of the IronKey Workspace range
is simple, unoriginal and not particularly sexy. The idea is that you plug the
USB device into any PC, select it from the boot menu, and - there you have it -
a persistent and fully functioning Windows 8.1 environment. When you are done
with your work, you power down, unplug your USB and move on. It is, quite
literally a PC... on a stick.
What sets the Workspace devices apart from
the competition is the vendor's unwavering attention to security. IronKey, now
under the ownership of Imitation, has spared no expense in creating the most
secure PC-on-a-stick devices in existence. Before we move onto a hands on
review, let's quickly reflect on just how secure these devices are.
In the UK, the Communications-Electronics
Security Group recommends that portable devices used by government
agencies comply with the Federal Information Processing Standard (FIPS)
140-2 Level 2. The same applies for US federal agencies.
The theoretical weakness with many portable
drives lies in the location of the cryptographic key. Often, it is stored in
the flash memory of the device itself. It's akin to leaving the key to your
mansion under a plant pot. The Workspace's key is stored on a separate
cryptochip. Only after the user logs in with an authorized password will the
drive unlock the workspace, data and applications.
The primary difference between the W500 and
the W700 is that the W700 is the first device of its kind to meet FIPS 140-2
Level 3 specifications. Level 3 requires physical security mechanisms that are
capable of detecting and responding to attempts to access
the cryptographic module. The W700's cryptochip is surrounded by a layer of
epoxy and a metal meshing. Try to access the module and the epoxy warps the
chip, destroying any chance of ever decrypting the data.
Of course, nothing is completely
unhackable; with unlimited resources or some social engineering, the W500/W700
could still fall foul to wrongdoers. But as far as USB devices go, the Workspace
range is as secure as they come.
We were given a W500 for testing purposes,
but all specifications between the W700 and the W500 are virtually identical.
It's difficult to call a USB stick 'sexy';
but the Workspace is the Audrey Hepburn of portable storage. The brushed
aluminium casing and the rubberised lid let you know straight away that this
thing was built to last. The Workspace
devices meet the MIL-STD-810 standard, also referred to as 'US Department of Defence
Test Method Standard for Environmental Engineering Considerations and
Basically, this is a long way of saying the
IronKey devices are both waterproof and dustproof. While we didn't subject the
W500 to a bath, it has been on a motorcycle keychain for the best part of a
month and has successfully stood up to the wind and rain. It was even chewed by
an enthusiastic puppy for a good few minutes and it still looks like it just
came out of the box.
The W500 comes with Windows 8.1 as standard
but will work with Windows
10 when it is launched later this month.
We tested the W500 on three different
machines: a relatively new custom built workstation (Intel Core i7-4930K, 16GB
RAM); a relatively old laptop (Dell Inspiron 11z with Intel Celron 723 and 2GB
RAM); and a late 2014 MacBook Air.
The PC was the only machine that could take
advantage of the W500's USB 3 speeds, so that seemed like a good place to
begin. We started by plugging the device
in while the machine was already booted in Windows 7.
It is worth noting that, while the drive shows
up in the host system's environment, only 500mb of it can be utilised; the rest
is locked away, as if it didn't exist. Upon selecting the drive you are
presented with two utilities - one to make changes to the password and one to
automatically reconfigure the BIOS settings to boot from the W500.
It's also worth pointing out at this
juncture that if the BIOS is locked behind admin privileges, the machine will
not play ball with your shiny new stick.
We restarted the machine and selected the
drive from the boot options. The W500 takes a little bit longer to boot than
some other devices because it goes through two boot cycles (one to unlock the
partition and one to actually boot the OS). After a while, this became a tad
annoying, but the minor inconvenience was easily offset by the knowledge that
we were booting into a completely secure environment.
Moments later, and
we were running Windows 8.1. One might assume that there would be
degradation in performance, but the speeds felt almost identical to those of
the SSD in the machine. The W500 boasts read/write speeds of 400/316 MB/s on
USB 3.0; five times faster than Microsoft's minimum requirements for Windows To
Apps launched quickly and both CPU and RAM
intensive programmes worked without a hitch. We were running Adobe After
Effects and Photoshop side by side and even when writing video files to the
drive, it was hard to spot any considerable difference between the W500 and the
The real surprise came in when we plugged
the W500 into the Dell 11z. This little netbook/laptop hybrid has seen better
days. Booting Windows 8.1 from its internal HDD It takes roughly four minutes
from power on to Ctrl-Alt-Del, and then a further five minutes before the OS
becomes fully operational.
The W500 gave this almost useless chunk of
plastic an entirely new lease of life. The machine was booted and operational
in under a minute and the OS was once again fully responsive and useable. You
could, in theory, give every employee a ten year old laptop and a W500 and send
them on their way.
the MacBook Air, the W500 did not fare so well. We made it to preboot, but
then kept hitting walls as the OS kicked into life. We're not entirely sure
what we did, but after a couple of restarts we were up and running. Modern Macs
all run on Intel technology and so there is no logical reason why the IronKey
shouldn't work equally well using Apple's hardware, especially if you download
and install Apple Boot Camp on the OS.
It is really difficult to fault the IronKey
Workspace W500. It's well made, does what it says on the tin and most
importantly is as secure as they come. The only slight hiccup occurs when one
starts considering tangible use cases for a PC-on-a-stick.
Users still need a host machine, which will
likely be at home or in the office; and as cloud technologies bring ubiquitous
data synchronisation ever closer, it is difficult visualise exactly why an
enterprise would really need a fleet
of Windows To Go devices.
Perhaps it could make a nice little sandbox
environment; or just a useful backup device for when things go wrong.
Day-to-day though, people are still going to use the underlying system as their
go to devices.
If you disagree and do see the benefit of
arming your users with PCs-on-sticks, you won't go far wrong by choosing IronKey's