PC virtual desktop on an encrypted USB drive: Product snapshot

While booting a virtual desktop from a USB might not be new, booting a desktop that features and focuses on security is. In this article, U.K. Bureau Chief Ron Condon examines the newest offerings in the secure USB virtualisation space.

By creating a virtual desktop on a USB thumb drive, companies can provide employees with the means to communicate safely with corporate systems and work securely from any PC.



Equipping mobile workers with laptops can be expensive, as well as risky. Machines need to be secured and patched regularly, and if they are lost, they can present a security risk.

Now, with the rise of high-capacity USB memory sticks, an alternative to traditional mobile business computing is emerging. By creating a virtual desktop on a USB thumb drive, companies can provide employees with the means to communicate safely with corporate systems and work securely from any PC, including a home machine or a device in an Internet café.

If the virtual environment is correctly configured, the user should be protected from any viruses or keyloggers that may be lurking on the host machine. And when they close the session and remove the USB stick, users should leave no footprint or clue that they had ever used the machine.

Provided the user can find a PC to use, the advantages are clear. The USB stick is cheaper, lighter to carry and can be centrally managed. If it is an encrypted USB drive, it has zero value to a thief or to someone who finds it in the street. It can also be a useful business continuity measure if employees are suddenly prevented from using their office systems. The rapid distribution of encrypted USB drive devices would allow employees to work from home while maintaining policy control.

The concept of creating a virtual desktop on a USB stick is nothing new. A Web search for "PC on a USB stick" turns up several products, some of them open source, that allow users to piggyback on someone else's computer and run their own virtual desktop. The difference with the new products appearing on the market, however, is that they incorporate native encryption on the USB stick, are packaged with security in mind, and are designed to be managed centrally by the company issuing them to its employees.

Here is a selection of the available products:

Abra, from Check Point Software Technologies Ltd.
This is a derivative of Check Point's SSL VPN technology, which has been loaded on to a SanDisk Corp. USB stick with built-in hardware encryption. It is designed to provide an easy connection to the Check Point Connectra secure remote access gateway running on the user's corporate systems.

When plugged into a host PC, Abra sets up a secure workspace in the computer's memory, and then creates the secure connection to the corporate gateway. Under management from the corporate system's administrator, it can be controlled by policy to carry out a check on the host PC, using Check Point's endpoint security products, for everything from up-to-date antimalware, to the presence of a firewall or a properly patched operating system. Policy can then dictate how endpoint non-compliance would be handled; the user may be allowed to continue with a warning, or the session might be closed down.

Abra currently comes in 4 GB and 8 GB versions, and prices generally range between £100 and £150.

SafeStick from BlockMaster AB
Swedish security company BlockMaster is well known for its rugged hardware-encrypted USB sticks and its SafeConsole management platform that allows companies to manage and control the use of USB devices on their systems. Now the company has teamed up with two suppliers of virtual desktop software -- Moka5 Inc. of California, and Ceedo Technologies Ltd. of Israel -- to create what it says is a secure, manageable and portable computing device.

When companies deploy the device to individuals or groups of workers, they register themselves as users on their networked corporate system , where SafeConsole ties their Active Directory details to the unique identifier on their USB stick. It then deploys the virtual desktop software, and thereafter the users are free to take the stick with them and use it from any host machine.

According to BlockMaster, Moka5 is best suited to companies that want to virtualise the whole of the user's desktop, while Ceedo is better suited to deploying certain applications that the users need all the time, such as a VPN connection or certain desktop applications. Ceedo collaborates with the operating system on the PC, while Moka5 runs with its own standalone operating system.

Being under central admin control, the stick can restrict what executables can run within the virtual desktop, and thus prevent leakage of data via malware on the host PC.

BlockMaster produces a SuperSonic version of the SafeStick with extra-fast memory, which it says will boost performance of the virtual desktop session. Prices are between £100 and £150 depending on size and the choice of virtual desktop software.

IronKey from IronKey Inc.
This is a rugged USB device that manages to combine virtualisation, authorisation and storage in one product. IronKey has put its products through the most stringent certifications for the U.S. military, so security is built-in throughout the whole manufacturing process. It is designed to be super-tough, capable of withstanding extremes of hot, cold, water and sand.

The device has its own fast cryptographic processor, and can also double up as a one-time password token for secure two-factor authentication.

IronKey has worked with a variety of companies to produce different levels of desktop virtualisation, including VMWare Inc., Moka5 (also used by BlockMaster), Becrypt Ltd. (see below) and RingCube Technologies Inc.

It has also collaborated with Lockheed Martin Corp. to produce the IronClad stick, which contains its own operating system, as well as the user's applications and files. This means that when plugged into virtually any host PC, it bypasses the host's hard disk and works entirely from the stick itself.

IronKey supports on-board strong authentication from RSA Security, CRYPTOCard Inc. and VeriSign Inc., thereby removing the need to carry a separate token. It also produces a special IronKey Trusted Access for Banking, designed to help banks protect their clients from financial malware threats.

An 8 GB IronKey portable security device with remote management service starts at £150 (including one year of service and support). Antimalware scanning and strong authentication options are also available. Desktop virtualisation software is available from IronKey's partners and is priced separately.

Trusted Client from Becrypt Ltd.
Becrypt is best known in U.K. government and military circles, and its Trusted Client software has been built with strong security in mind. Companies can buy the software and load it on one of a range of recommended USB sticks, or they can buy it loaded on to the rugged stick supplied by IronKey (see above).

Trusted Client comes with its own operating system -- a cutdown version of Linux -- and VPN software, all encrypted to stop anyone from tampering with it. The user plugs the device into any unmanaged Windows PC and boots up the systems from the stick, completely bypassing the host machine's hard disk. This prevents malware reaching the Trusted Client environment, and also stops any information leaching out onto the host machine.

Becrypt also offers central management software, the Becrypt Enterprise Manager, which logs all usage, and can also deactivate the device if it is reported lost. Becrypt says the Trusted Client software costs £73 per user, with discounts for volume purchases. The company also plans in June to release a version of Trusted Client to run on a netbook PC.

Read more on Endpoint security