Hollywood makes secure flash storage look easy. If the bad guy steals a thumb drive, it either blows up or some secret counterintelligence agency marshals the nation's resources in a no-holds-barred data hunt -- most likely with Bruce Willis or Tommy Lee Jones working the streets. If the good guy steals the drive, it goes to a special-needs, special-deeds sidekick in a basement somewhere who cracks the code in 5 minutes.
That's the Hollywood treatment, but -- exaggerations aside -- it contains some elements of truth. Flash drive security is readily available, and some of it is free. Ease of use, however, is another matter.
Secure flash drives give security-conscious users a great way to transport sensitive information. And you can work directly off of such drives so that their top-secret data never resides in another location -- except on a secure online backup service, of course.
Hardware vs. Software
The three basic approaches to securing data on a flash drive involve using software, hardware, or a combination of both.
The simplest, least expensive way to secure your data is to use a program such as 7-Zip to create encrypted archives on your flash drive. The obvious drawback of this method is that you must have the appropriate decryption software on any PC that you want to access the data from. (A portable version of 7-Zip is available, however.)
A slightly more elegant solution is Encrypt Stick, which also resides on the flash drive as a portable application but is designed solely for secure storage.
Easier yet is a secure flash drive that, upon being inserted into a PC's USB port, automatically runs software by tricking the operating system into thinking that you've inserted a CD. This software resides on a small CD emulation partition; the rest of the drive is used for storage. Variations on this approach run the gamut from simply providing access to the encryption program (as with the CMS Vault OTG) to hiding the data partition until you've run its control panel and entered a password to enable it (which is the method that IronKey Personal S200 uses).
A hardware-only product has special appeal to businesses and other security-conscious organizations that don't want and won't allow users to insert any type of executable file from a flash drive into their systems. Any type of software on a flash drive is vulnerable to tampering.
Hardware-only options include the Lok-It drive from Systematic Development Group, which requires the user to enter a PIN, using the buttons on face of the drive. Though it's a nice product, Imation's Defender F200 is the hands-down winner for cool, softwareless ease of use. The drive has a biometric finger scanner on top, which requires no software intervention when used alone. The F200 also uses the CD trick, but only for the configuration software or for additional password protection.
How Many Bits Are Enough?
No matter which hardware or software product you choose, it pays to know what type of security the item uses.
Any number of programs offer AES 128, 192, or 256. AES (Advanced Encryption Standard) is a symmetrical ciphering system -- which means that it uses the same password or key to encrypt and decrypt data -- and 128, 192, and 256 represent the number of bits in the key. The greater the number of bits, the larger the number of possibilities a cracking program must try to ensure that it will come up with the right one.
Because of the current choice between 32-bit and 64-bit computing and operating systems, you may know that an unsigned 32-bit binary number can be anything up to about 4.3 billion (4GB), and an unsigned 64-bit number can be up to about 18.4 quintillion. It follows that 128-bit, 192-bit, and 256-bit numbers areimmense, and they have names you've probably never heard of.
Though computers are fast, they aren't fast enough to crack numbers at those sizes in a reasonable amount of time. At today's processing speeds, a brute-force attack that tried every possible solution would take billions of years (on average) to crack a 256-bit number -- assuming that the person who created the password chose a full-strength password that used all of the bits. The larger the number, the slower the encryption or decryption -- but for the modest amounts of data we're talking about here, that's generally not an issue.
If you're planning to transport a working recipe for cold fusion, you might want to confirm that your portable drive satisfies a high level of FIPS 140-2 (Federal Information Processing Standard, Publication 140-2). FIPS 140-2 isn't a technology, but a definition of what security mechanisms should do.
There are four FIPS 140-2 levels. Level 1 involves using an approved encryption algorithm (such as AES 256). With level 2, the encryption is supplemented by a means to reveal tampering. Level 3 adds protection for the encrypting mechanisms and algorithms themselves. And with level 4, you add physically daunting packaging and fry the data and decrypting mechanisms if a breach occurs. At last, Mission Impossible!
The Imation Defender F200 has been validated for level 3 security. Validation is an expensive process performed by a trusted partner of the company; it can take 12 to 18 months. More commonly in the product packaging or advertising, you'll see an indication such as "FIPS compliant," as with the IronKey Personal S200, which simply means the device follows the guidelines. Lexar's JumpSafe S3000 FIPS says that the product is "designed to meet," which might mean nothing more than that the company read the government's 140-2 guidelines.
What You Want
For most users, the free software approach is adequate, though not particularly convenient. Auto-run flash drives are a bit easier, and they carry only small price premiums. Full on, software-less, Hollywood-like magic such as the Defender F200 costs you four, five times or more per gigabyte than a plain drive, but the convenience and wow factors are huge.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.