Users of the IronKey brand secure USB flash drive will already be familiar with the impenetrable security available in removable storage devices but things have moved on considerably since IronKey was taken over by Imation. The branding has been retained and the familiar flash drives are still available but the range has been expanded to encompass more models of flash drive and now also a range of hard disk drives with similarly hardened security. We tested the H300 Basic and Enterprise models to see if they really do represent the latest in removable storage security.
The Basic model is essentially a large capacity IronKey device with moving components and more weight but if capacity is what you want, this ticks the boxes left blank by the IronKey range of flash drives with the H300 available in 500Gb and 1Tb versions as opposed to the maximum 64Gb available on the flash devices. It should also be mentioned that disk drives traditionally last a lot longer than flash memory. Having said that, ProSecurityZone have had two flash drives from IronKey in their possession which have given many years of reliable, continuous use without the usual "sudden death" events normally associated with flash memory after it has reached a certain age.
The downside of the H300 is that the control panel isn't so comprehensive as the flash drive's version with no resident browser which we've found to be a useful feature which prevents a "footprint" being left on the browsers of computers you're using as a guest, such as in an internet cafe.
For personal use and small businesses, the H-300 Basic is ideal but for larger enterprises that want more control over endpoint storage, the Enterprise version offers comprehensive command and control using a web-based console.
The console is a tool that enables a corporate IT administrator to set up access rights, passwords, usage restrictions and other policies for each individual device. The console itself is accessed through device authentication so it's impossible for an end user or intruder to access it through a URL. This is because the console's URL changes at every session. The management platform can be held on an on-premises server or hosted by Imation in the cloud.
The management and administration of all remote devices and users can be performed from the console and user statistics can be displayed. Given that remote field workers often need to work and access data offline, policies can be set to allow offline usage a set number of times or offline use can be completely disabled so that the user is unable to access the device without logging onto the cloud or "phoning home". Repeated attempts to gain unauthorised access results in the user being locked out or the contents of the drive being destroyed, depending on the policy settings. IP geo-location restrictions can also be set in the policies to prevent the device being used or accessed in certain territories.
In extreme circumstances, if the device is lost, stolen or otherwise compromised, it can be set to self-destruct the next time it connects to the internet. Having "called home" automatically when connected, a set of instructions are sent to it which effectively fry the cryptochip thereby rendering the scrambled data on the device forever unreadable.
Passwords vs Biometrics
The H300 Enterpise offers extremely flexible password management options. The IT administrator can set such parameters as how complex the password needs to be and how often it should be changed. Although the console doesn't hold any password lists, it can send an instruction to a remote device for the user to change the password according to pre-set policies.
The device itself seemed to us to lend itself perfectly to the incorporation of biometric technology for authentication, thus doing away with the need for passwords altogether and I talked to Michal Kujawka of Imation about the use of biometrics versus passwords. He told me that Imation can supply similar products which have biometric authentication, such as the F200 IronKey flash drive and the H200 hard drive. However, within an enterprise environment, the biometric products can't be mixed with the password products as yet.
The reason for this lies in the problem of technology development through acquisition. The H300 and the non-biometric flash drives all came about as a result of Imation's acquisition of IronKey whilst the F200 flash drive and H200 biometric hard drive both result from the acquisition of MXI Security and so they are two fundamentally diffent platforms onto which a common management system can't realistically be built.
The cryptography used on the biometric devices is different from the IronKey cryptochip and can only be used with an on-premises console. The choice therefore between the two technologies will be dependent on whether the enterprise wants biometric authentication and whether they want cloud or on-premises management.
The IronKey range of personal removable storage devices has always offered highly secure and affordable memory for private users and small businesses and with the introduction of enterprise management, Imation has extended this model to higher end users who can now also realise the advantages of hardened individual endpoint storage at affordable cost with central management either on-premises or in the cloud.
The issue of authentication technology really only presents itself at the initial specification stage at which time important choices need to be made and then stuck to throughout the lifecycle of the investment. With passwords set to eventually being consigned to their deserved resting place in the big "Recycle Bin" in the sky, two-factor authentication and biometric technology will become the norm and the choice of platform will become more simple to make. In the meantime, I'm certain that Imation will be developing its convenient, secure, affordable and simple IronKey platform to meet the authentication challenges in the post-password era.
Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan