They're small, yet store an incredible amount of data; they're cheap, yet robust, with no moving parts, and they're easy to use – and lose. It’s the bane of any system administrator's job: the USB thumb drive. Love them or hate them, they're here to stay because they are now an integral part of most users' IT kits.
Unfortunately, because of their small size and low cost, most users don't value them sufficiently to look after them properly. The attitude is of inconvenience rather than concern when a thumb drive goes missing. But, the loss of an unencrypted USB key can constitute a major breach of security. A USB drive holding the company's business plans, client database or similarly sensitive data can be worth a small fortune and be of huge value to a competitor or identity thief, should it fall into the wrong hands.
Banning the use of USB devices or disabling computers' USB ports isn’t a practical security measure, as so many peripherals now connect via these ports. Therefore, enforcement of USB best practices -- particularly encryption -- has become the preferred option for ensuring data is secure if a drive is lost or stolen. Enforcing encryption of data stored on USB drives is now a lot easier than it used to be, particularly since Microsoft introduced BitLocker To Go with Windows 7. But, unless all your PCs run Windows 7, you’ll need an alternative encryption method, as the encrypted data is read-only when accessed on earlier versions of Windows.
Before you buy a software-based encryption product, consider whether this is your best option. The two main elements required for securing data on a USB drive are access control and encryption. While most offerings use the AES encryption algorithm in hardware-based products, a dedicated, on-board cryptographic processor handles access control, encryption and decryption. This means the encryption keys never leave the USB drive, unlike software-based keys, which can be temporarily stored in the computer's RAM or on the hard drive. In turn, you must trust the computers the USB drive connects to, often a significant risk.
A bigger problem is that software-based encryption can't stop brute-force attacks against the password or key, as they use the computer's memory to store the number of login attempts. This counter can be continuously reset by an attacker until an automated password cracking program finds the password. Another type of attack that software implementations can't prevent is called a parallel attack; the encrypted data is copied from the USB drive to another computer or computers where the attack is carried out. Cloud computing means it's now easy to rent supercomputer processing power by the hour, making it possible for a parallel attack to decrypt even strong passwords in a matter of hours by using brute force.
As USB hardware encryption technologies prevent the mapping of storage from the USB drive to the OS file system, until the user enters a correct password, the drive’s contents can't be copied to another computer without the user knowing the password. Protection against brute force attacks is possible, as the login counter is built into the hardware. Finally, a hardware-based encryption system is not vulnerable to a cold boot attack since it does not use the host's RAM to store the keys.
As you can see, hardware-based encryption is less prone to compromise than software products, and, as it is part of the device, it's always on. This means users can't disable encryption or forget to use it, providing a more consistent user experience with drag-and-drop functionality and giving transparent encryption to even the most impatient of users, reducing user training requirements and frustration. It doesn't degrade the performance of programs running on the host PC either, as the dedicated hardware inside the USB handles the encryption processes. Importantly, if a user unplugs the device during the encryption process, on-board encryption can ensure the files stay intact, unlike a software-based process. An uncontrolled halt of the program using software can also leave unencrypted data on the host machine, as the product can no longer overwrite unencrypted data it has copied to it.
This leads to another security problem: Any software encryption is reliant on the operating system for security. Data leaks via swap files or flaws in memory management can greatly weaken the encryption system.
Well-designed, hardware-based encryption does not require driver or software installation, keeping the encryption independent of the PC, while not leaving behind software footprints. In some hardware-based encryption systems, the code is digitally signed against the hardware, verifying software integrity each time the USB flash drive is inserted in the PC,, providing a high level of code integrity.
Data encryption is imperative for any portable device, and on-board encryption makes it much easier to enforce. Hardware-based encryption can provide better all-round data security for enterprise USB drives, and the central management and control software available from many manufactures allows password recovery, remote termination, central backup and restore, and audit tracking of usage.
McAfee Inc. offers hardware-based encrypted USB drives with AES-256 encryption and FIPS-140-2 validation, which integrate with their ePolicy Orchestrator management platform, while BlockMaster AB's SafeSticks can be centrally managed by their SafeConsole server software. If you want to add biometric authentication, Memory Experts International Inc. produces a USB drive with a finger-swipe sensor and on-board hardware AES-256 encryption that is FIPS 140-2 Level 3 validated.
Considering hardware-based encryption for USB drives is best practice, and it will certainly help the organisation comply with the many privacy laws and regulations that now cover the handling of personally identifiable information.
This was first published in April 2011