The announcement happened to coincide with the public release of a U.S. Government Accountability Office (GAO) report stressing the need for federal agencies to increase their encryption efforts.
New products and services haven’t been announced, but combined solutions are already available in the form of a USB flash drive, portable hard disk and centrally controlled management software. Offered by each respective company under unique product names, the devices share the same hardware and software.
McAfee’s Zero Footprint Bio is a re-branded version of MXI’s Security Stealth MXP, a zero-footprint USB flash drive with transparent hardware-based AES 256-bit encryption. Both carry FIPS 140-2 Level 2 validation certificates and feature three-factor (biometric, password and device) authentication. Numerous cryptographic services and digital identity features are included.
MXI’s Security Outbacker MXP portable hard disk also carries hardware-based AES 256-bit encryption, zero-footprint software, three-factor authentication as well as digital identities and crypto services. McAfee users will find the equivalent in McAfee’s Encrypted Hard Disk.
Unlike the FIPS-validated Security Stealth MXP, the Security Outbacker MXP is currently in the FIPS certification process. U.S. federal agencies are required by the Office of Management and Budget (OMB) to encrypt sensitive data on mobile computers and devices approved by the National Institute for Standards and Technology (NIST). The most current series of government computer security standards issued by NIST is FIPS 140-2.
The Security Stealth MXP and Security Outbacker MXP are centrally manageable through MXI’s Access Enterprise software suite. Similarly, McAfee’s Encrypted USB Manager (formerly SafeBoot for USB Enterprise) ensures the Zero Footprint Bio and Encrypted Hard Disk comply with agency policies and procedures.
But according to the GAO June 2008 Information Security report, “While many technologies to encrypt data exist, implementing them incorrectly – such as failing to properly configure the product, secure encryption keys or train users – can create a false sense of security and even render data permanently inaccessible.”
The report, which looked at the encryption efforts of 24 federal agencies, states, “From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 per cent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB’s encryption requirements for mobile devices, specifically portable media.”
Agencies appear to devote more attention to encrypting sensitive information transmitted over networks and less attention to portable storage devices. According the report, “…six agencies reported having other storage devices, such as portable storage media, that could contain sensitive data. Of the six agencies, four had not encrypted these additional devices. Further, officials at one agency had no plans to encrypt sensitive data contained on their portable media.”
Obstacles to proper implementation, from the agencies’ perspective, include high costs, user acceptance and training, managing encryption keys, lack of interoperability for cross-agency collaborations and readying IT infrastructure.
“One thing that might be happening is that the departments are buying these products because they are FIPS validated, but not understanding how to operate these products in a FIPS-validated mode,” said Larry Hamid, CTO of MXI Security. “You wouldn’t necessarily understand how to do that unless you dug deeper into the security policies that accompany FIPS validation. You have to worry about things like, ‘Where are your keys stored? How do you authenticate in order to unlock the encryption keys?’”
“Some of these products also have software components and unless you’re using those software components, you may not be applying the proper security,” said Hamid, who pointed to users placing files on USB flash drives without being obligated to run the encryption software. “This may be just because the user wasn’t told how to use the device properly or that they know how to use it, but they just didn’t have the time to run the software, which is quite often what happens when the security is a little cumbersome to use.”
“One of the advantages of our technology is that we have full transparency in our encryption,” Hamid continued. “So when you plug the device in, you have no choice but to first of all authenticate to the device. If you can’t authenticate, you can’t use the device. Once you’ve authenticated, your drive is fully encrypted. No matter what you do, there’s no opportunity for the user to either accidentally or on purpose circumvent the security. It’s so simple that the user can’t make a mistake.”
“The validation of our product covers the entire product, including all of the internals, the hardware, the enclosure and all the services…all you need to do is plug it in and start using it. You don’t have to worry about whether you are using it in a FIPS-validated mode or not because you always are. There’s no configuration outside of perhaps the password policies that the organization would want to put on the devices and they can do that with our management software…we give them the flexibility to deploy and enforce the policies that they need.”