With data leakage and stolen laptops hitting the headlines with almost tedious regularity, the Trusted Client USB...
security device from Berkshire-based BeCrypt looks as if it could be just such a product.
If the USB security stick does everything it says it can, it could kill the stolen laptop problem, solve many of the problems associated with sub-contractors, and also provide some useful business continuity features into the bargain.
The newly launched Trusted Client v2 is basically a secure PC on an encrypted USB stick. It holds its own operating system, a cut down version of Linux, and VPN software, all heavily encrypted to stop anyone tampering with it.
"This USB security stick allows the user to boot the system from an unmanaged or untrusted PC, such as a home PC, then set up a VPN connection to their corporate systems, and access central information from a remote desktop," says David Holman, BeCrypt's CEO. "It means they can get the same functionality as if they were in the office."
The usual problem with this kind of arrangement where remote users borrow a PC is that files can get copied and stored on the borrowed machine. BeCrypt stops that happening by removing the IDE drivers from Linux, thereby preventing any seepage of information between the USB stick and the PC. It means that at the end of a session, the user can remove the USB stick and know it has left no footprint on the PC.
If you're an aerospace company using sub-contractors, you don't want them keeping your data
Holman sees several advantages to the approach. "A lot of organisations such as the military and local government would like to encourage home working, but they can't necessarily afford to give everyone a laptop."
Giving everyone an encrypted USB security stick – at £50 a go - would be a lot more affordable, while at the same time keeping a grip on corporate information. And with worries increasing about floods, train strikes, pandemics and terrorism, a USB security stick could serve as a useful business continuity device if staff were prevented from getting to the office.
The product could also ensure USB security for companies that use multiple sub-contractors, he says. "If you're an aerospace company using sub-contractors, you don't want them keeping your data. With Trusted Client you can audit what data they are looking at – it becomes a very strong collaboration tool. Sub-contractors can do whatever they need to do, including writing to the database, but you control what they do. And they never take the whole database. The USB stick is encrypted, so the user cannot add any software to it. You would set what files are going to be put on the stick, you encrypt it, and then give the USB security stick to the sub-contractor."
When so many companies are struggling to control remote users through various Network Access Control mechanisms, and others seem incapable of preventing staff from walking off with complete databases on their laptops, USB security looks like an attractive package. But why should we believe the promises of a small UK company that is not widely known outside military and central Government circles?
The main reason is that, from its foundation in 2001, BeCrypt has focused on military and Government markets, where – as Holman readily admits - you can charge more for your products, but where all security products have to go through lengthy and costly accreditation by CESG, a Government body that forms part of GCHQ.
BeCrypt has gone through around 10 CESG approvals, mainly for whole disk encryption of laptops and other devices such as PDAs. Trusted Client is going through CESG approval at the moment, something that can only happen if a Government department expresses an interest in buying it, and sponsors the accreditation.
And as Holman knows, the testers are very demanding, going through the code "pretty much line by line". The process can take up to 18 months and the vendor foots the bills for the evaluators to do their job. "It can be costly, " says Holman. "It depends on how well we've designed it in the first place."
His experience of working with CESG, though sometimes painful, has inspired respect for both their technical ability and fairness. For instance, the evaluators may sometimes suggest that a certain process could be coded better. But they leave it to the vendor to find the answer. "They can't offer advice. That would be seen as favouring a vendor and they must remain vendor-neutral," says Holman. "They are the national technical authority for security, and I don't think there there's anyone better."
The result of all this hard work is that BeCrypt has been forced to get its basic software architecture right from the very beginning, which is something Holman now plans to exploit in the wider world. "That's why we're catching the eye of commercial clients now. Even if they don't have classified data to protect, their data is still private and needs to be protected."
BeCrypt has set up partnership deals with AEP Networks and Juniper Networks to provide the VPN part of the Trusted Client device, and according to CTO Bernard Parsons, other similar integrations will follow.
It could be several months yet before Trusted Client gets the CESG approval, but there is clearly a market for such a USB security product, in both the public and private sectors. The recent theft of a Royal Navy laptop containing personal details of 600,000 applicants to the armed forces, confirms that even in BeCrypt's traditional patch, there are still some gaping security holes.