REVIEW: Ironkey Workspace 500 USB device

This is a guest post by Sean McGrath senior reporter at Microscope

Striking a balance between mobility and security is something of a Holy Grail in the enterprise world. How do you enable employees to work from anywhere, while at the same time, ensuring that your mobile estate remains secure?

Secure mobile storage provider IronKey  was founded with a grant from the Department of Homeland security in 2005. IronKey has always had a straightforward mandate – to create the most secure storage solutions possible.

As part of its mission, it pioneered the first cloud based management platform for USB devices, the first USB drives with remote self-destruct and – the topic of today’s review – the first fully secure PC-on-stick.

The purpose of the IronKey Workspace range is simple, unoriginal and not particularly sexy. The idea is that you plug the USB device into any PC, select it from the boot menu, and – there you have it – a persistent and fully functioning Windows 8.1 environment. When you are done with your work, you power down, unplug your USB and move on. It is, quite literally a PC… on a stick.


What sets the Workspace devices apart from the competition is the vendor’s unwavering attention to security. IronKey, now under the ownership of Imitation, has spared no expense in creating the most secure PC-on-a-stick devices in existence. Before we move onto a hands on review, let’s quickly reflect on just how secure these devices are.

In the UK, the Communications-Electronics Security Group recommends that portable devices used by government agencies comply with the Federal Information Processing Standard (FIPS) 140-2 Level 2. The same applies for US federal agencies.

The theoretical weakness with many portable drives lies in the location of the cryptographic key. Often, it is stored in the flash memory of the device itself. It’s akin to leaving the key to your mansion under a plant pot. The Workspace’s key is stored on a separate cryptochip. Only after the user logs in with an authorized password will the drive unlock the workspace, data and applications.

The primary difference between the W500 and the W700 is that the W700 is the first device of its kind to meet FIPS 140-2 Level 3 specifications. Level 3 requires physical security mechanisms that are capable of detecting and responding to attempts to access the cryptographic module. The W700’s cryptochip is surrounded by a layer of epoxy and a metal meshing. Try to access the module and the epoxy warps the chip, destroying any chance of ever decrypting the data.

Of course, nothing is completely unhackable; with unlimited resources or some social engineering, the W500/W700 could still fall foul to wrongdoers. But as far as USB devices go, the Workspace range is as secure as they come.

We were given a W500 for testing purposes, but all specifications between the W700 and the W500 are virtually identical.

It’s difficult to call a USB stick ‘sexy’; but the Workspace is the Audrey Hepburn of portable storage. The brushed aluminium casing and the rubberised lid let you know straight away that this thing was built to last.  The Workspace devices meet the MIL-STD-810 standard, also referred to as ‘US Department of Defence Test Method Standard for Environmental Engineering Considerations and Laboratory Tests’.

Basically, this is a long way of saying the IronKey devices are both waterproof and dustproof. While we didn’t subject the W500 to a bath, it has been on a motorcycle keychain for the best part of a month and has successfully stood up to the wind and rain. It was even chewed by an enthusiastic puppy for a good few minutes and it still looks like it just came out of the box.


The W500 comes with Windows 8.1 as standard but will work with Windows 10 when it is launched later this month.

We tested the W500 on three different machines: a relatively new custom built workstation (Intel Core i7-4930K, 16GB RAM); a relatively old laptop (Dell Inspiron 11z with Intel Celron 723 and 2GB RAM); and a late 2014 MacBook Air.

The PC was the only machine that could take advantage of the W500’s USB 3 speeds, so that seemed like a good place to begin.  We started by plugging the device in while the machine was already booted in Windows 7.

It is worth noting that, while the drive shows up in the host system’s environment, only 500mb of it can be utilised; the rest is locked away, as if it didn’t exist. Upon selecting the drive you are presented with two utilities – one to make changes to the password and one to automatically reconfigure the BIOS settings to boot from the W500.

It’s also worth pointing out at this juncture that if the BIOS is locked behind admin privileges, the machine will not play ball with your shiny new stick.

We restarted the machine and selected the drive from the boot options. The W500 takes a little bit longer to boot than some other devices because it goes through two boot cycles (one to unlock the partition and one to actually boot the OS). After a while, this became a tad annoying, but the minor inconvenience was easily offset by the knowledge that we were booting into a completely secure environment.

Moments later, and we were running Windows 8.1. One might assume that there would be degradation in performance, but the speeds felt almost identical to those of the SSD in the machine. The W500 boasts read/write speeds of 400/316 MB/s on USB 3.0; five times faster than Microsoft’s minimum requirements for Windows To Go certification.

Apps launched quickly and both CPU and RAM intensive programmes worked without a hitch. We were running Adobe After Effects and Photoshop side by side and even when writing video files to the drive, it was hard to spot any considerable difference between the W500 and the native drive.

The real surprise came in when we plugged the W500 into the Dell 11z. This little netbook/laptop hybrid has seen better days. Booting Windows 8.1 from its internal HDD It takes roughly four minutes from power on to Ctrl-Alt-Del, and then a further five minutes before the OS becomes fully operational.

The W500 gave this almost useless chunk of plastic an entirely new lease of life. The machine was booted and operational in under a minute and the OS was once again fully responsive and useable. You could, in theory, give every employee a ten year old laptop and a W500 and send them on their way.

On the MacBook Air, the W500 did not fare so well. We made it to preboot, but then kept hitting walls as the OS kicked into life. We’re not entirely sure what we did, but after a couple of restarts we were up and running. Modern Macs all run on Intel technology and so there is no logical reason why the IronKey shouldn’t work equally well using Apple’s hardware, especially if you download and install Apple Boot Camp on the OS.

It is really difficult to fault the IronKey Workspace W500. It’s well made, does what it says on the tin and most importantly is as secure as they come. The only slight hiccup occurs when one starts considering tangible use cases for a PC-on-a-stick.

Users still need a host machine, which will likely be at home or in the office; and as cloud technologies bring ubiquitous data synchronisation ever closer, it is difficult visualise exactly why an enterprise would really need a fleet of Windows To Go devices.

Perhaps it could make a nice little sandbox environment; or just a useful backup device for when things go wrong. Day-to-day though, people are still going to use the underlying system as their go to devices.

If you disagree and do see the benefit of arming your users with PCs-on-sticks, you won’t go far wrong by choosing IronKey’s Workspace devices.