Mike Elgan: Why I'm done with portable hard drives
I've owned six portable USB hard drives over the past 10 years, and all six of them have failed unrecoverably. [read more]
Computerworld - USB flash drives are very small, very portable, very convenient -- and very easy to lose. In fact, the question to ask these days isn't how to avoid losing your flash drive, but how to make sure your data is safe when you do. As a result, Computerworld decided it was time to look at seven USB flash drives that are outfitted with security features to keep your data safe.
We did what most IT managers and users would do and asked some of the top vendors for their most secure USB flash drives. All but one of these products use some form of the Advanced Encryption Standard (AES) encryption, either 128-bit or 256-bit (according to experts, there's not much of a difference between 128-bit and 256-bit levels of AES encryption for ordinary purposes, as neither has yet been broken).
There was some variation in the implementation of the encryption on these drives -- some use AES keys derived from a user's password, while others use encryption keys generated by a hardware-based random number generator. (For more information, see our sidebar About Encryption.)
Our three reviewers -- Bill O'Brien, Rich Ericson and Lucas Mearian -- did not test the encryption algorithms themselves (that's a subject for another article), but did test the drives' performance, I/O rates, and CPU utilization. The reviewers also looked at the drives' security features, price, ease of installation, and ease of use.
Each device was tested for speed using Simpli Software's Hd Tach 3.0. Interestingly, the reviewers came up with a wider range of performance numbers than anyone actually expected.
In fact, this turned out to be a very diverse group of drives with features ranging from secure and unsecure data partitioning, to waterproof, stainless-steel cases, to support for passwords of up to 99 characters. In every instance, there are different levels of ingenuity that went into the creation of these handy, very mobile devices, even if the level of protection varies.
This is by no means the definitive list of all the drives available -- only some from the largest vendors and the most highly advertised. There are many types of secure USB drives out there, including those using fingerprint scanning technology (we'll visit those in a later review).
In choosing a secure USB flash drive, you may have to first decide the relative importance of security, price, and speed, and compromise among those three factors. But in the end, we found that one drive stands out above the others.
AES is the successor to the older DES (Data Encryption Standard) and is used by the U.S. government for encrypting secret-level and top-secret-level documents, using the 128-bit and 256-bit strengths respectively.
But it's not enough to offer AES encryption; much depends on how the encryption is deployed. In part, that's because users don't always want to use passwords as long as needed for effective key generation. If a user chooses a password with fewer characters than would make a 128-bit or 256-bit key (one character = 8 bits, so we're talking about passwords of 16 or 32 characters, respectively), the remaining characters often automatically become zeros. That means that the password can more easily be guessed, according to Charles Kolodgy, research director for secure content and threat management products at IDC.
Kolodgy recommends a passphrase versus a password. "The first step is to take care of 90% of the users out there," Kolodgy says. After that, the best solution is to have a random password character generator on the drive.
Some vendors claim there are differences between software-based and hardware-based encryption; according to Kolodgy, that's not hype. In software-based encryption, the keys are placed in the device's memory, so a hacker will know where to look for the keys by their unique format and can target those keys for a brute-force attack, Kolodgy says. In hardware-based encryption, the key never leaves the hardware device, thus you can't access them by simply looking at the device's memory.
But there's only so much due diligence you can do on this front. In the end, there is no way to tell whether a vendor's security is foolproof "apart from a $50,000 or $100,000 engineering effort," says security technologist and author Bruce Schneier in his essay on password security.
As an IT manager, you may even be best off rolling your own. Schneier says he generally purchases inexpensive drives and then encrypts the data on them using PGPDisk encryption software, but you will need to have PGP's Desktop product installed on your computer.