Flash media vendors eye DOD market despite strict rules
The Defense Department has eased its blanket ban on removable devices such as USB drives, and vendors are responding with tamper-proof hardware, FIPS 140-2 validated encryption engines and on-board antivirus
SAN FRANCISCO — Despite continued restrictions on the use of portable storage media by the individual military services, vendors are eager to take advantage of the Defense Department’s decision last month to ease its blanket ban on the devices.
“This is a recognition of the need for these devices,” said Tom Flynn, director of marketing for Gemalto. “But it is also a recognition of the importance of securing data.”
The new policy does not completely lift the ban on devices, but allows use of approved government-owned drives used when no other options are available for mission-critical activities.
Military still gives thumbs down to thumb drives
DOD details strict flash drive rules
“The days of bringing in personal USB drives and plugging them in are over,” said Sue Pontius, chief executive officer of Spyrus. But the new policy reopens the DOD market for hardened, secure devices. “What the government is trying to do is put back the productivity tools we have become reliant upon.”
Both companies are promoting products at this week’s RSA Security Conference that meet new DOD requirements for removable devices. Gemalto is displaying its Smart Guardian FIPS drive with an integrated smart card module, and Spyrus is touting its family of Hydra PC (Privacy Card) secure storage devices. All have been validated to the Federal Information Processing Standard 140-2 for cryptographic modules.
DOD banned the use of removable flash media in 2008 following the outbreak of a virus that was being spread through the devices.
“The temporary ban on portable USB storage devices introduced significant productivity barriers and required military and government personnel to dramatically change the way they work,” said David Jevans, CEO of IronKey, another secure USB manufacturer.
But it was an appropriate move, Pontius said.
“The government took steps to button itself down and review procedures that were in place,” she said. The problem was not in the available technology or in the policy for its use; it was that approved procedures were not being followed. “Even with policies in place, people take shortcuts,” turning off or bypassing required security in favor of ease of use.
The ban was a notice that policies no longer would be ignored, and the Feb. 12 announcement by the U.S. Strategic Command of “the limited return to use of memory sticks and thumb drives” included strict new requirements for their use.
The DOD Joint Task Force for Global Network Operations, working with vendors, defined security requirements to prevent infection by malware. Authorized devices must pass stringent security tests to ensure that data is protected with FIPS 140-2 encryption and that they work with both DOD malware scrubbing kiosks and McAfee’s Device Control Module.
Gemalto’s SG FIPS devices include a smart card module to hold cryptographic keys and perform PIN and password verification. This means the keys and the verification process are on the drive, within the FIPS-validated environment, rather than the host PC. The module is hardened against both physical and logical brute force attacks. If tampered with, it self destructs.
“If you can’t get to the keys you can’t get to the information,” Flynn said. “It’s been done before,” he said of hardened chips, but FIPS validation is taking card security to a new level.
The SG FIPS smart card module uses the same technology as DOD Common Access Cards and the civilian Personal Identity Verification smart cards. Agencies can configure the device so that it will work only on PCs while a CAC or PIV card is inserted.
The Spyrus Hydra PC devices also are approved for DOD use. They include the personal encryption device, the Enterprise Edition and the Digital Attaché. All come with in virus protected versions with onboard antivirus software to protect data coming onto or leaving the device.