A British company has a reassuring answer for safeguarding data on USB flash-drive devices, which are all too easily lost or stolen.
Conseal Security Ltd. on Jan. 17 released a new version of a locally installed software, called Conseal USB2, that password-protects such devices and then enrolls them in an online "dual lock" password-checking system. Whenever the device is jacked into a computer, the drive checks in with a server that turns back to the software's local management consol to verify the credentials.
Because the device is managed from the local administrator's console, access rules can be set at a variety of levels. Restrictions go as far as allowing the drive to be unlocked only by authorized users, on specific computers, within approved domains, at certain times. If someone attempts unauthorized use, the attempt can be audit-tracked back to the machine that was used.
"A device needs access to the internet initially to unlock, but not during use," says Tom Colvin, Conseal's chief technology officer, in an e-mail exchange. "Essentially, that is the key principle behind our Dual Locks system, which is designed to get around the single point of weakness of traditional encryption: the password."
"Usually, a lost device is a danger because as soon as an attacker obtains it, it is just a matter of time before they obtain the password through guesswork, social engineering [manipulating people to divulge confidential information], etc. With Dual Locks, the device’s contents can only be decrypted with the server’s permission. Even if you have both the password and the physical device, the protected contents remain secure," says Colvin.
According to Conseal, research from the U.S. National Institute of Standards and Technology has shown that passwords can typically be broken within 16 minutes via techniques like dictionary attacks or social engineering.
The dual-lock approach ensures the encryption key is not based on the password, nor is it stored on the disk or on the server. As a result, the strength of the protection is not limited to the complexity of the password alone. Devices can be unlocked only with the permission of the server, which is what allows administrators to set access rules or view extensive history audits for devices.
Further, instructions can be given to the server to temporarily lock a drive that has been misplaced until it is recovered. If an administrator believes a drive has been stolen, he or she can program the server to destroy the data the moment the drive is jacked in.
A new feature of the current release allows administrators to allow temporary off-line access to cover users who expect to use a device on unconnected equipment.
The Windows-compatible product is offered as a one-year's service contract in several ranges. An express edition is available for home users and students for £19.95 (about $31.00); the cost for commercial users starts at £59.95 (about $94.00) for up to five users, with other plans available for 250 users or more.