Encryption may end flash drives' exile for good

Private sector develops storage devices tailored to meet stringent government data protection requirements

In late 2008, the Strategic Command’s Joint Task Force-Global Network Operations (JTF-GNO) put in place an immediate ban on the use of flash drives — USB storage devices that have become the modern version of the floppy disk.

Used throughout the Defense Department to physically carry data between systems or transport personal files for use on shared systems, USB drives were at least partially responsible for a rapidly spreading virus attack on DOD’s Secret IP Router Network and Unclassified but Sensitive IP Router Network. On unclassified systems, the virus might have provided a back door for hackers to extract data.

The episode reinforced some of the problems that led to the creation of DOD’s Data-at-Rest Tiger Team (DARTT) and push for wide adoption of data-at-rest solutions to protect sensitive data — especially on laptop computers and removable media. On previous occasions, USB storage devices that contained sensitive data were found for sale in Afghan markets.

In February, DOD lifted the ban on USB drives — sort of. STRATCOM officials issued an order Feb. 12 that allows personnel to use some USB drives in specific circumstances if they follow service guidelines. “All USB storage devices used must be government-procured and -owned,” STRATCOM's message states.

As the military services form their own USB drive policies, a number of vendors are teaming to create USB products that meet guidelines set by JTF-GNO. In response to the concern about the security of USB drives, vendors have engineered devices that automatically encrypt data stored to the devices.

One of those vendors is Mobile Armor, which also holds contracts for data-at-rest protection for the Army and for Navy laptops and desktops that aren't on the Navy Marine Corps Intranet. “The Office of the Secretary of Defense has had [data-at-rest contracts] with Mobile Armor for years,” said Mike Menegay, Mobile Armor’s president and chief executive officer.

Mobile Armor’s solution, Key Armor, combines encryption and virus protection into the USB storage device’s hardware. Key Armor is based on USB hardware from IronKey and SanDisk, Menegay said. And the devices include Mobile Armor’s key management capability and can use authentication from the Common Access Card to determine which policies should be applied to the USB device.

“Those policies are automatically set up for a USB key,” Menegay said. “You don’t need another server. It’s a much more efficient, enterprise solution.”

The same user profile could be used to manage encryption keys and policies for USB storage and encrypted files and full drives on desktop and laptop computers. The policies regarding encryption and access are centralized on a policy server. In conjunction with information from a Common Access Card, it can determine the identity of a user anywhere on the network. When the device is inserted, a network-aware preboot application must complete a protection sequence before the user is allowed to boot the computer.

It's unclear how quickly the military services will adopt these types of USB storage devices because the JTF-GNO is leaving choices about requirements to the services. But considering that data-at-rest protection is still not 100 percent deployed to mobile computers at DOD, it might be some time.

In February, the Air Force decided to continue its USB ban. DOD "banned flash media devices over a year ago due to network threats," said Maj. Gen. Michael Basla, Air Force Space Command vice commander, in a statement. "These threats have not disappeared. There are a number of military and government agencies working to mitigate these threats. The Air Force will be a partner in these mitigation strategies as we work to allow the limited use of flash media for mission-essential requirements.”

"What we do not want is airmen thinking they can go out and buy a thumb drive or USB or any flash media device and start using it," said Lt. Col. Donovan Routsis, Air Force Space Command net-centricity division deputy chief. "In all reality, even when a policy is in place, that will still not be permissible. The use of any flash media device will only be authorized for mission-critical requirements and will be strictly managed."

Reader Comments

Fri, Aug 27, 2010 Ron LaPedis Silicon Valley

First, ensure that whatever flash drive you use can be locked down to only authorized systems so that they cannot be used outside of your enclave; second ensure that non-approved flash drives CANNOT be connected to secure systems. THIRD (and very important), know where your flash drive comes from. Trusted design, trusted parts, trusted manufacturing, trusted assembly. This might save your butt when the 'kill switch' in foreign parts is turned on in the upcoming cyberwar. And by the way, software encryption means that your key is in RAM where is can be captured and used by an adversary.

Wed, Apr 28, 2010 John Miles Virginia

We use the Mobile Armor product to encrypt all of data...on my laptop, USB keys (we still use them), and CDs. It's very easy. I have a client on my laptop that has a policy that states all of my data needs to be encrypted. I like this because it takes place automatically and I do not have to think about it. It must be fast because I am never aware of it. The alternative is a policy that restricts my use of removable media. That would severely hinder my productivity so I am all for the Mobile Armor solution.

Wed, Apr 28, 2010 Fernando

Even the best scanners will fail to catch all malware. Scanning a flash drive is necessary, but not sufficient to protect information systems. (Think defense in depth.) I think we should all pay attention to the military's concerns since we are all potential targets.

Wed, Apr 28, 2010

I find it funny that people using these flash drives don't scan them for virus's before opening any data on a different machine!!!!!!! The flash drives are nothing but a replacement for 3 1/2 floppies, and machines that don't have Cd Roms. Simple computer safety ignored.

Wed, Apr 28, 2010 Kevin Dayton

Data at Rest (DAR) is for mobile media/computers, not desk/server bound computers/media or weapon systems. The USB threat applies to all systems. While Mobile Armor have tested very well, its only part of the USB and DAR solutions. Wrt USB, the computer receiving it must also be protected from both proper (Govt owned, configured, encrypted, etc.) drives and also any other that's plugged in, which mean disabling autorun, vaccination, etc. Wrt DAR, the full-disk encryption is good, but it’s not publically compatible. Instead, the USAF Research Lab's free Encryption Wizard (spi.dod.mil) can work on almost any computer, both NIPRNet and private, to secure and trade files.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above