In an age of online cloud storage, you’d be forgiven for thinking that physical storage media no longer had a place in our 24/7 connected world. However, that’s simply not the case. Although cloud storage has made inroads and many of us find online storage useful, there are times when we need our data to be physically with us. The only problem is, how do we keep our data safe if it’s stored on a humble USB thumb drive?
Some time ago, I reviewed Kingston’s VP50 secure USB drives. These little devices are designed to be as impregnable as any data stored in a secure cloud. The latest Kingston range of IronKey encrypted storage devices were developed at a time when there was a spate of embarrassing data leaks in quite a few countries.
At the time, government officials and military personnel were found to have accidentally left memory sticks in public places. Often these devices contained sensitive or even classified information. As a result, many governments and corporations banned the use of removable storage devices because the penalties from data protection agencies for data leaks can be punitive.
Kingston makes a range of IronKey USB storage media with hardware encryption built in so that even if the drive is lost, it’s impossible to access the data without a password, thumbprint, or PIN. The Kingston VP50 is just such a flash memory drive with a high level of hardware security that’s strong enough for government and corporate use where sensitive data needs a high level of protection.
To find out a little more about the world of secure physical data storage, I recently met with Richard Kanadjian, Kingston’s Ironkey Encrypted Business Manager. I started by asking Kanadjian how he saw the market for removable storage developing. I wanted to know what advantages physical storage offers over the cloud.
Rich Kanadjian: “Yesterday I was reading a survey of business executives that found over half of 2,500 CEOs surveyed were more concerned about cybersecurity than their company’s economic performance, which is quite telling. Cybersecurity is a big issue for a lot of companies, especially the CIA triad.”
Mark Sparrow: “What’s the CIA Triad?”
Rich Kanadjian: “The CIA Triad in cybersecurity stands for Confidentiality, Integrity and Accessibility. Confidentiality is the hardware-based encryption that makes sure the data stored on the device is protected. Integrity means whatever data is stored on a device is the same data that is retrieved without alteration and that nobody can make changes. Accessibility means always having unauthorized or accidental access to data.
“Companies and cybersecurity professionals worry about on-premises data but they also worry about cloud data. Most of all, they worry about their endpoints and this is where Kingston works with mobile data. Your data may be well protected, but for redundancy or access reasons, you may want to have your data on a USB drive. You might be going to a different location, share data with others or you may not have your computer with you but still need to access your data. And that’s the space in which we operate.
“Accessibility means you have access to your data any time you need it. With cloud data, that’s not possible unless you have Internet access. And how you access data off-site matters. To access data back at HQ you need to go through secure networks, but employees often work in coffee shops or use hotel Wi-Fi to get online. Those methods of accessing the Internet are insecure. I don’t use hotel Wi-Fi so I like to carry my data with me as a backup on an IronKey USB drive. If anything happens to my notebook, I still have my data with me and I can find ways to carry on working. I can always access it without getting on the cloud.
“You can think of the Vault Privacy 50 drive as a cloud drive in your pocket or bag. You pull it out and you have all your data there, ready to access at any time. Whether you are at an airport, coffee shop or hotel, somebody can hack your system and intercept your data if you use public Wi-Fi.”
Mark Sparrow: “Sometimes people access data in the cloud because there might be more than one person updating it. What do you do if your data is on a USB drive and not everyone on the team can access it? Unless you’re using a VPN to access that live data, you only have a snapshot in your pocket until you can get online to refresh it and then store the updated data on the USB Drive.”
Rich Kanadjian: “The drive you carry in your pocket can’t address all those situations. If you share files that are dynamically updated, you will need to access them somehow, but you’ll need to have special security processes in place. You will have to make sure you’re on a secure Internet connection, but even a VPN can’t always guarantee that.
“For example, if you’re in a coffee shop and using public Wi-Fi, someone could break into your laptop. A VPN can help but it’s not secure and not as secure as having the data with you that you can access without going online. There’s something to be said for having data on a local drive. In my opinion, if you don’t want your data to be hacked and you don’t want people to modify it, don’t store your data on the Internet – in CIA Triad terms, the most secure storage is air-gapped and disconnected from the internet.
“You’ve probably heard of situations where cloud providers have been hit by cyberattacks and people can’t access their data. If the authentication method is not operating when you need to access your data, you’re stuck. We decided to keep our IronKey drives’ multi-password authentication to be self-contained within the drives for a reason because it always offers full control and access without the use of the internet.”
Mark Sparrow: “Let’s assume someone finds a Kingston VP50 USB drive. How does it remain secure? Can someone try to access the data? What technology does the VP50 use to stop a data breach?”
Rich Kanadjian: Very good question. The worst-case scenario is losing a standard unencrypted USB drive. In those cases, anyone can just plug the drive into a computer and access all the data. That’s the absolute worst case. A step up from this is using software encryption. However, we don’t view software encryption as totally secure because there are tools on the Internet that can guess passwords. By design, software encryption doesn’t have what’s called Brute Force Attack Protection. This limits the number of times someone can enter a password. Without Brute Force Attack Protection, hackers can attempt unlimited password guesses.
“There are programs available on the Internet that can crack complex passwords of eight characters or fewer in just minutes. The hacker can keep guessing and attack a single file with many computers. They can even make multiple copies of the file and then try to crack them in parallel. What used to take a computer a long time to crack could take multiple computers in parallel no time at all. In our view, software encryption is not as secure as people expect.
“At Kingston, we use hardware encryption and you can think of it as an ecosystem built into each drive. You need a specific password to access the drive and it will only allow you a certain number of attempts. If you exceed that number, the drive either locks or is reset.
For example, on the Kingston VP50, you have up to three passwords: admin, user and one-time reset. That’s what we call our multi-password architecture. You get 10 tries for each password. With the admin password, if you try and break that after 10 attempts, it simply wipes the entire drive clean and your data is gone and the drive is reset. That’s the power of Brute Force Attack Protection.”
Mark Sparrow:“So, with your IronKey drives there’s no way of getting the data back with recovery software? Once it’s wiped, it’s gone?”
Rich Kanadjian: “Pretty much. The AES encryption key is erased and once your encryption key is gone, you’d have to break AES 256-bit encryption to crack the data, which is, at this time, almost impossible. Once the AES key has been wiped, the data is unrecoverable and the drive is reformatted and ready to be reused.”
Mark Sparrow: “Is there no way that somebody could break into the data?
Rich Kanadjian: “It’s as secure as we can make it. The Kingston VP50 is what we call enterprise-grade security. That’s the security grade designed for businesses and professional use. It’s very secure. We also have military-grade security which is what you might call James Bond-grade encryption or FIPS 140-3 Level 3. FIPS 140-2 or the newest FIPS 140-3 Level 3 are standards from the U.S. government that define the security requirements for agency use of encrypted drives, and they have become a de-facto standard adoped by many governments and military in the world. They also include hard epoxy resin inside the USB drive casing to prevent anyone from physically attacking the memory chips. To get around that you would need a lot of money, a lot of time and a lot of knowledge. Depending on what level of security you want, enterprise-grade security is more than good enough for most needs.
“One thing we did with the Kingston VP 50 is to penetration test our security. We asked a German company called SySS to pen test our drives. SySS is a well-known cybersecurity company in Europe and they spent about five days trying to hack the VP50. They tried to figure out how to intercept the password or change it. They tried to compromise the VP50 and they couldn’t.”
Mark Sparrow: “How do you see legislation developing concerning governmental use of memory drives? Is there any sign of widespread adoption of your devices by government, or has the public sector stopped using removable drives for sensitive data?”
Rich Kanadjian: “For military use, we have higher-end drives but the Kingston VP50 is designed for business and professional use. There are reports in the U.S. that California’s CCPA looks like a model that is going to be adopted by more States. CCPA emphasizes that whenever you store protected consumer information, it has to be encrypted. It’s like the EU’s GDPR. If you read through the GDPR regulations, Article 32 says that whenever you store data it must be encrypted with the strongest AES 256-bit encryption. That’s where we come in by providing a removable drive that is already encrypted with the strongest encryption you can get.
“If you store data on one of our drives, you can be assured that it is CCPA or GDPR compliant should it be lost. People can’t easily access the data stored on it and, as far as we know, there are no known tools that can enable people to hack our drives.”
Mark Sparrow: “What are the drives like to use? Is it complicated to access data on an encrypted drive?”
Rich Kanadjian: “Our previous generation drives had a single complex password. The number one tech support call we got at Kingston was: ‘I forgot my password. Can you retrieve my data?’ Unfortunately, we must tell them we can’t because there’s no back door to our drives. To address this issue, we’ve gone multi-password.
“With the VP50 you can have an admin password, a user password, and a one-time reset password. So, if you do it right, you get three chances with three passwords to retrieve your data.
“However, people get tired of using complex passwords and it leads to some poor security practices. People often reuse complex passwords or create weak ones like ‘Password1’. That’s very easy for an attacker to guess. We wondered what we could do about it and the answer was the passphrase.
“Now you can use a passphrase to unlock our drives which is unique in the hardware encrypted drive industry. If you use a passphrase of multiple words longer than 15 characters, it’s even more secure than using a complex password per the FBI. We try to make it personal to our users but also more complex for a would-be attacker.. A passphrase can be the title of a book or it could be a sentence of a poem. It could be anything you like. We also have a hint field that prompts you to remember your passphrase.
“With a passphrase, you don’t have to remember special characters and we even allow punctuation and multiple languages. You can use any characters from 10 up to the maximum of 64. You can imagine how personable and memorable a passphrase you can make up so that it would be difficult for anybody to guess.
“We tried to make the process user-friendly so anyone can easily remember their passphrase without having to write it down or reuse a password. However, for those people who like complex passwords, we’ve kept that option on our drives. We also offer a customization program that locks the passphrase feature out if that’s what a business wants.”
When I started this conversation with Rick Kanadjian, I was expecting to encounter a rather dry subject involving encryption and multiple levels of secure access, but the discussion changed my mind and gave me a fresh perspective on the future of secure physical data storage. With good hardware encryption, data storage with Confidentiality, Integrity and Accessibility makes a lot of sense. And with the CCPA and GDPR forcing more companies to encrypt their data, the future for secure USB drives is starting to look very bright indeed.
Read the full article here