Encryption may end flash drives' exile for good

Private sector develops storage devices tailored to meet stringent government data protection requirements

In late 2008, the Strategic Command’s Joint Task Force-Global Network Operations (JTF-GNO) put in place an immediate ban on the use of flash drives — USB storage devices that have become the modern version of the floppy disk.

Used throughout the Defense Department to physically carry data between systems or transport personal files for use on shared systems, USB drives were at least partially responsible for a rapidly spreading virus attack on DOD’s Secret IP Router Network and Unclassified but Sensitive IP Router Network. On unclassified systems, the virus might have provided a back door for hackers to extract data.

The episode reinforced some of the problems that led to the creation of DOD’s Data-at-Rest Tiger Team (DARTT) and push for wide adoption of data-at-rest solutions to protect sensitive data — especially on laptop computers and removable media. On previous occasions, USB storage devices that contained sensitive data were found for sale in Afghan markets.

In February, DOD lifted the ban on USB drives — sort of. STRATCOM officials issued an order Feb. 12 that allows personnel to use some USB drives in specific circumstances if they follow service guidelines. “All USB storage devices used must be government-procured and -owned,” STRATCOM's message states.

As the military services form their own USB drive policies, a number of vendors are teaming to create USB products that meet guidelines set by JTF-GNO. In response to the concern about the security of USB drives, vendors have engineered devices that automatically encrypt data stored to the devices.

One of those vendors is Mobile Armor, which also holds contracts for data-at-rest protection for the Army and for Navy laptops and desktops that aren't on the Navy Marine Corps Intranet. “The Office of the Secretary of Defense has had [data-at-rest contracts] with Mobile Armor for years,” said Mike Menegay, Mobile Armor’s president and chief executive officer.

Mobile Armor’s solution, Key Armor, combines encryption and virus protection into the USB storage device’s hardware. Key Armor is based on USB hardware from IronKey and SanDisk, Menegay said. And the devices include Mobile Armor’s key management capability and can use authentication from the Common Access Card to determine which policies should be applied to the USB device.

“Those policies are automatically set up for a USB key,” Menegay said. “You don’t need another server. It’s a much more efficient, enterprise solution.”

The same user profile could be used to manage encryption keys and policies for USB storage and encrypted files and full drives on desktop and laptop computers. The policies regarding encryption and access are centralized on a policy server. In conjunction with information from a Common Access Card, it can determine the identity of a user anywhere on the network. When the device is inserted, a network-aware preboot application must complete a protection sequence before the user is allowed to boot the computer.

It's unclear how quickly the military services will adopt these types of USB storage devices because the JTF-GNO is leaving choices about requirements to the services. But considering that data-at-rest protection is still not 100 percent deployed to mobile computers at DOD, it might be some time.

In February, the Air Force decided to continue its USB ban. DOD "banned flash media devices over a year ago due to network threats," said Maj. Gen. Michael Basla, Air Force Space Command vice commander, in a statement. "These threats have not disappeared. There are a number of military and government agencies working to mitigate these threats. The Air Force will be a partner in these mitigation strategies as we work to allow the limited use of flash media for mission-essential requirements.”

"What we do not want is airmen thinking they can go out and buy a thumb drive or USB or any flash media device and start using it," said Lt. Col. Donovan Routsis, Air Force Space Command net-centricity division deputy chief. "In all reality, even when a policy is in place, that will still not be permissible. The use of any flash media device will only be authorized for mission-critical requirements and will be strictly managed."

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.