What do Fidelity Investments, Boeing, Ameriprise Financial, the YMCA, and the U.S. Department of Transportation all have in common?
Those are just a few of the organizations that suffered serious breaches of customer data or other confidential information when a company laptop was stolen or lost in the past year. And in several cases, the repercussions were serious, with regulators and the news media coming down heavily on those companies.
Until now, security solutions for laptops have focused on such techniques as clandestine software trackers, data time bombs, and good old-fashioned encryption (see “Help! I’m Your Laptop and I’ve Been Stolen“). But there’s another option that may be even more appealing from a security and asset management point of view: why not eliminate the laptops altogether?
The rise of a new breed of portable flash memory drives may make laptops unnecessary. This new breed of USB “stick” drive departs from its predecessors by allowing applications to be run directly from the device. Unlike consumer drives with those capabilities, though, some stick makers have taken the technology a step further by integrating them with administrative tools on a corporate network. That gives a company more control over the use of the drives.
In a typical setup, a stick, or token, is initialized the first time it is plugged into a computer connected to a company’s network. A drive may contain secure E-mail software, a custom browser, a spyware scanner, a “vault” for storing data in encrypted form, virtual private network software, and encrypted passwords.
“The whole point of this device is that it’s a thin client that you can walk around with,” explains Vimal Vaidya, CEO of RedCannon Security in Fremont, Calif. “You can take it anywhere and safely plug it into any computer.” Security software on the stick will determine if a safe session can be conducted, he adds.
Corporate policies on enterprise use can be incorporated into the device and automatically enforced, Vaidya continues. For example, if a password is incorrectly entered three times, the system can automatically reset it. Moreover, sessions conducted with the drive remain within the drive: no traces of the session are left on the host computer. If the device is lost, access to it can be controlled by the company — it can be “locked down” and become inaccessible unless returned to the office, or all data on the device can be automatically destroyed.
Such “computers-on-a-stick” can also be used to increase productivity across an organization. Vaidya notes that, on average, only 15 percent of enterprise users have laptops. That means most are bound to their desktop or need to install software on computers when away from the desktop. “USB drives allow people who want to be outside the office and working to easily do that without installing software,” he explains.
Until recently, RedCannon’s enterprise solution worked only with a USB drive with hardware encryption. That means the drive contains a processor that automatically encrypts information on it. However, the company recently released a version of its software that will work with any off-the-shelf drive.
That kind of solution, though, is less secure than hardware encryption, according to Nimrod Reichemberg, director of marketing for enterprise solutions at Msystems, of Sunnyvale, Calif., a RedCannon competitor that was purchased by SanDisk in November. “You take any plain vanilla drive and you put enterprise software on it, that software can be deleted and it reverts to a plain vanilla drive,” he contends.
Regardless of the kind of USB drive that’s being used, there are fundamental security issues that can’t be avoided, maintains Nate Lawson, a senior researcher with Cryptography Research in San Francisco. “Anything that’s plugged into a USB port can’t initiate transactions,” he says. “It can only respond to them. So the USB drive couldn’t do anything to scan memory or look for malware until the operating system is functional. At that point, the malware could already be running.”
Aside from security, the idea of a computer-on-a-stick may be a tough sell to some users. “I can’t imagine getting to the point where I would put all of my work and all my applications resident on a piece of media that I can put in my pocket,” confesses Dennis Szerszen, senior vice president of SecureWave in Herndon, Va. “I’d be afraid that I would lose it and the ramifications would be disastrous.”