If you have ever listened to Rich or myself present on data centric security or endpoint encryption, we typically end by saying “Encrypt your freakin’ laptops.” It works. The performance is not terrible and it’s pretty much “set and forget”. We should also throw in “Encrypt your freakin’ USB keys” as well. The devices are lost on a regular basis and still very few have encrypted data on them. I confess that I am fairly lazy and have not been doing this, but started to look into encryption when I realized that I had brought a stick with me to Boston that had a bunch of sensitive stuff I was moving between computers and forgot to delete … oops. I am not different than anyone else in that I am not really interested in taking on more work if I can avoid it, but as I am moving documents I do not want public, I looked into solving this security gap. While at RSA I dropped by the IronKey booth; in nutshell, they sell USB sticks with hardware encryption. After a product demo I was provided a 1gb version to sample, which I finally unpacked this morning and put to use. This is a dead simple way to have USB files encrypted without much thought, so I am pretty happy moving the stuff I travel with onto this device.
A few years back at the IT Security Entrepreneurs’ Forum at Stanford, I ran into Dave Jevans. He had just started IronKey and was there trying to raise capital. At the time this seemed a tremendous idea: USB keys were ubiquitous and were quickly supplanting writable CDs & DVDs as the portable media of choice. Everyone I knew was carrying a USB stick on their keychain or in their backpack. And subsequently they were lost and stolen at an alarming rate along with all the data they contained. It had been three years or so since I had spoken to anyone at the company, so I wanted to catch up on new product developments. I am not going to provide a meaningful analysis of the hardware security implementation as this is beyond my skill set, but there were a couple of advancements in the product for browser safety and data usage policy enforcement that I was unaware of, so I wanted to share some comments.
The key has hardware encryption, so all files are stored encrypted. It provides an authentication interface and credentials need to be established before the device is usable. IronKey has added anti-malware to detect malicious content, but given that more dedicated appliances still fail in this area, the capability is not going to be cutting edge. The advancements I was not aware of were strong password enforcement, remote administration, and the ability to destroy the device in the event that certain access policies are violated. This prevents an attacker from trying indefinitely to gain access, and allows for policies to be adjusted per company, per users. The first idea that hit me is that this is a natural to leverage the encryption capabilities of the memory stick with DLP in a corporate environment. Use DLP to detect the endpoint device and allow data to be copied to the USB device when the device is trusted. This is very much in line with a data centric security model – where you define the actions that are allowed on the data, and where the data is allowed to go, and do not allow it to be in the clear anywhere else. I am not aware of anyone doing this today, but it would make sense from a corporate IT standpoint and would make an effective pairing.
The second concept pushed during the demo was the idea of putting a stripped down and trustworthy version of Firefox onto the IronKey. They are touting the ability to have a mini-mobile safe harbor for your data and browser. Philosophically speaking, this sounds like a good idea. Say I am using someone else’s computer: invariably they have IE, which I do not want to use, and the basic security of the computer is questionable as well. So I could plug in the memory stick and run a trusted copy of Firefox from wherever. Neat idea. But from my perspective, this does not seem like a valid use case. Even today I am going to have my laptop, and I just want an Internet connection. With EVDO, MiFi and the surge of mobile computing, do I really need a memory stick to do this for me? If I have a browser on my iPhone or Blackberry, what’s the point? Endpoint devices come and go with the same regularity as women’s fashions, and I wonder what the real market opportunity for this type of technology is in the long run. While it appears to be good security, the medium itself may be irrelevant. One thought is to embed this technology into mobile computing devices so that the information is protected if lost or stolen. If they could do that, it would be a big advancement over the security offered today. With the ability to provide user authentication, and destroy the data in the event that the unit is lost or the security policies are violated, I would have a much more secure mobile device.
Anyway, very cool product, but not sure where the company goes from here.
Oh, I also wanted to make one additional reminder: Project Quant Survey is up. Yeah, I know it’s SurveyMonkey, and yeah, I know everyone bombards you with surveys, but this is pretty short and the results will be open to everyone.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich’s Macworld article on Apple, Mac security and responsibility.
- Rich with Dennis Fisher on the ThreatPost podcast
- Rich with Bill Brenner of CSO on DLP
- Rich’s TidBITS article on 5 Ways Apple Can Improve Mac and iPhone Security
- Rich and Martin on The Network Security Podcast
Favorite Securosis Posts
- Rich: The State of Web Application and Data Security.
- Adrian: Technically not a Securosis post, but I thought this analysis was stellar.
Other Securosis Posts
- Hackers 1, Marketing 0
- Introduction to Database Encryption: The Reboot!
- 5 Ways Apple Can Improve Their Security Program
- Project Quant Patch Management Survey
- Boaz Nails It – The Encryption Dilema
- Piracy Fighting Dog FUD
- Macworld: The Truth About Apple Security
- How Market Forces Can Fix PCI
Favorite Outside Posts
- Adrian: Jeremiah Grossman provides a very level-headed analysis of Vulnerability Disclosure.
- Rich: Boaz’s post on The Encryption Myth.
Top News and Posts
- Underground Intrigue.
- A bit older, but really good
- Who doesn’t love color scales?
- I have lock picks and bump keys, but nothing like this! Fascinating read and a great physical security parallel to what we see with data security.
- Aetna breach
- Mike Andrews in response to our State of Security post.
- These speak for themselves.
- Mandatory encryption reading.
- Bad news for consumers
- White House cybersecurity review
- Interesting UTM Review. Once you get past your initial shock at the poor anti-malware performance, you see how the other variables come into play in the selection process.
- Data Domain is popular. Very popular.
- Nice perspective on the attack vector lifecycle also by Jeremiah.
- Suspected Malware Hub Takedown
- Not security related, but Intel buying real-time OS provider Wind River Systems has very interesting implications for the mobile computing space. Most are not aware that WRS is working on Android.
- Informative post on using Metasploit Libraries.
Blog Comment of the Week
This week’s best comment was LonerVamp’s response to the State of Web Application and Data Security post:
Excellent information in that post!
Rich, have you been encouraged by the tone of those you’ve talked to regarding their WAF setups? I am not surprised by the larger number of WAF deployments (dropping in an appliance certainly seems easier!), but I’m curious how many really think they’re being effective. I’m not as big a skeptic as dre (hi!), but I realistically think deployment out of band and lots of false positives leave them doing absolutely nothing. I also wonder how many are deployed with nothing but a handful of basic triggers that are just default examples.
This would be the equivalent of deploying an ANY/ANY firewall 15 years ago just to say you have a firewall. Technically, you do have one. Technically, you might even be set up to look at the alerts, but because it detects nothing, it does nothing.
Reader interactions
10 Replies to “Friday Summary – June 5, 2009”
David,
In terms of functionality that’s exactly what I expect out of PDC solutions, so we are on the same page there, just not with terminology.
To be honest, all these market terms are a pain in the ass, especially for products (like yours) that cross lines. Not sure there’s anything we’ll ever be able to do to fix that.
We have used it and combinations of the terms for years in our trade show booth materials, graphics, etc. It is the reason DeviceLock is purchased.
More to the point of the confusion over what we do, DeviceLock does NOT protect portable storage…
DeviceLock protects the PC-host endpoints from unauthorized use of portable/wireless-connected devices and ports. We allow administrators all the controls Windows doesn’t have to granularly and flexibly allow/deny/mitigate access to Windows host ports-devices based on the many contextual and conditional settings we provide so that data does NOT leave the PC to unauthrized devices or users. This, along with auditing, shadowing, keylogger detection, etc is why we defined ourselves as we did.
Thanks – David Matthiesen
David,
The first usage I ever saw of “DLP” was in Vontu marketing materials… if you can cite me a source earlier than that I’d appreciate it (this was years ago). “Analysts” didn’t make that definition, at Gartner we used CMF, but the vendor marketing departments didn’t like that, and once users started using DLP we switched. The *users* defined it as content-aware, not me. From my knowledge of market history, no way were you guys out there using the term before the DLP vendors. Feel free to correct me if you can cite a source.
I never liked the term DLP, as I’ve mentioned plenty of times on this blog and in other places. That’s why I prefer CMP. DLP can mean absolutely anything you want it to, like GRC, and is thus worthless as a term.
You guys protect portable storage, or data on portable storage. Nothing wrong with that. Not sure why you care so much about the term DLP.
Rich – With all due respect, I already knew that we would disagree on the “DLP” definition, though, again, we used the term accurately for how DeviceLock has been justified and implemented for many years BEFORE analysts decided to define it as content-only. My only wish is that we would have trademarked it for prosperity.
In retrospect, it would have been better for the analyst/vendor community to simply have defined 2 formal sub-categories under DLP: Contextual and Content-based…which is essentially how the new “CMP” term you have is differentiating. Everyone would have been in agreement in the vendor camps and the ability to measure up to EACH sub-category would be the proper metric for the analysts. It really would have been that simple to avoid the confusion in the space and our need to now re-defend our indigenous position.
Thanks – David Matthiesen
David-
It’s easy- once DeviceLock adds content awareness, it’s DLP. Until then, it’s portable device control.
There’s nothing wrong with that, just like we don’t call firewalls DLP.
Great comments. The latest evolution for the Ironkey is extended Internet authentication capabilities, specifically the new Identity Manager stores your Internet passwords, but also allows you to lock down your eBay and PayPal accounts (and those of several banks and brokerages too), to your IronKey. The Identity Manager software supports the Verisign VIP one-time-password technology, thus you can lock your online account down to your IronKey. If hackers guess or steal your name and password, they still cannot get into your accounts without physically possessing your IronKey.
Also check out the IronKey Enterprise products, which offer online remote management of thousands of devices for corporate users.
Thanks again,
Dave @ IronKey
Adrian – thanks for the response, which actually brings up additional features of DeviceLock.
As a managed device, we go well beyond just who can access, but also at what level, what file types, and even when. “Write”, “read”, “format”, and “eject” are discrete access permissions that can be assigned/witheld; and DeviceLock can even control which days-of-week and hours-per-day the device can be accessed if pertinent to your security needs (shift workers, no weekend access, no late night access, military, etc).
The latest release also has the ability to allow/block/read-only at the true file type level, regardless of how the file is named due to the aforementioned engine that is the doorstep to upcoming content features. Examples are that all “Executable” type files as a group can be denied for Removable media to help prevent installs, malware, and rootkits; while Word docs and PDFs can be explicitly allowed.
While these are all contextual security settings, they are very important controls for preventing data leakage.
Thanks again. — David Matthiesen
Regarding what you said about the iPhone or Blackberry replacing the USB drive as a secure platform to browse or any other action, I should add that in countries with technologic dalays like Argentina, where I come, this is a viable and accessible solution. Altought the Blackberry and the IronKey are FIPS-140-2 (as far as I know), the current prices of mobile devices and computers are way too far from ‘accesible’, making solutions as the IronKey affordable.
Best regards.
@David – My comment was specific to IronKey and permissions mapping to the capabilities of that device, so thanks for the comment. My ignorance in this area is not surprising given Rich is our expert in all things DLP. I am sure he will slap me upside the head when he gets back from NYC.
-Adrian
Rich and Adrian – in reading your positive comments on IronKey (a very nice product), there was an important passage and recommendation that is covered by our DeviceLock software.
You stated…,”Use DLP to detect the endpoint device and allow data to be copied to the USB device when the device is trusted. This is very much in line with a data centric security model — where you define the actions that are allowed on the data, and where the data is allowed to go, and do not allow it to be in the clear anywhere else. I am not aware of anyone doing this today, but it would make sense from a corporate IT standpoint and would make an effective pairing.”
To your point, DeviceLock’s endpoint port-device access control sofware allows the admin to define “whitelisted” USB devices by their model number (VID+PID) or even more securely by their unique ID or serial number (VID+PID+SN). These can be IronKeys or any other standards-based encrypted USB device. Moreover, the whitelisted device MUST be assigned to a user, group, or user context (or multiples of these)in the policy configuration, and is not just generically allowed for all authenticated users as other solutions do. With DeviceLock, these assigned devices could be the only ones allowed or the policy can be a hybrid with generic USB/Removable use allowed to specifically privaleged users/groups. DeviceLock also audits and shadows the data traffic between the host PC and the USB device for additional data security compliance. The bottom line is that ONLY trusted users can use ONLY trusted devices by leveraging this configuration…and, even though they are trusted, they are still “watched”.
While DeviceLock has not met your previous definition of DLP (though we coined the term in our marketing/trade booth materials many years prior to the official analyst category existing), this is another point where “context-based” security solutions like DeviceLock have provided visionary endpoint data protection. As we add “content-level” features going forward that leverage the content engine developed and released with v6.4, we trust that DeviceLock will move up the ladder in your DLP/CMP vendor list as these points are validated.
Best Regards –
David Matthiesen