Secure USB drive uptake slow but growing

Encrypted or locked-down USB storage devices do not have mainstream appeal yet, but industry experts say increased regulations are driving the uptake of such devices.

Graham Titterington, principal analyst at Ovum, told ZDNet Asia that the use of secure flash drives is mandated in environments such as the military. Outside of such controlled environments, they are "quite widely used as a good practice", he said in an e-mail.

Other sectors in which secure thumbdrives are often mandatory, are healthcare and the financial services.

Joel Camissar, product line executive for McAfee's data protection business in the Asia-Pacific region, noted strong growth in the Asian and global financial services and government markets for its encrypted USB drive. This has been spurred in many cases by the need to fulfill regulatory obligations.

For instance, revised guidelines by Singapore's banking regulator, the Monetary Authority of Singapore, require confidential customer data stored in all types of endpoint devices to be protected with strong encryption, he said. As a result, banks in the country have stepped up the use of secure flash drives.

"These devices have become increasingly popular due to increased regulations, stories in the media about information loss, and organizations adopting more stringent practices in how they protect their customers' information," he added. "Recent data indicates the market for secure USB drives was worth over US$150 million globally in 2009.

"This figure is set to rise substantially in 2010 as the popularity for increased security on portable storage devices grows."

SanDisk's Asia-Pacific marketing head for enterprise Dror Todress concurred, noting that the company's customers in the region are typically "more regulated"--with a need to protect sensitive data or have other data protection initiatives in place.

However, according to John Girard, Gartner's vice president and distinguished analyst, encrypted drives are still currently adopted by a "specialized, niche market".

"Companies which buy them for the appropriate niche purposes have been satisfied," he said, adding that "in general, we do not see large mainstream investments".

Security issue in secure USB drives
The recent exposure of a security flaw in such secure thumbdrives, said Ovum's Titterington, may have also dented user confidence in such devices.

Discovered by SySS, a German penetration testing company, the loophole was caused by an error in how the password is processed. The products affected were identified to be from SanDisk, Kingston and Verbatim.

Kingston has since issued a recall and announced an upgraded security architecture, while SanDisk and Verbatim have issued product updates.

Interestingly, all three vendors have obtained for certain models the FIPS (Federal Information Processing Standards) 140-2 certification, which is a security validation issued by the U.S. government. SanDisk's Cruzer Enterprise drive also acquired the Common Criteria EAL2 certification in October 2009.

"The FIPS certification they enjoyed is more limited than many users realized, referring only to the implementation of the encryption algorithms," Titterington pointed out. "However, until [recently], they were believed to be effective at protecting data, and so we can only assume they have been successful until now."

Microsoft's BitLocker a threat?
A possible contender to encrypted thumbdrives is Microsoft's enhanced BitLocker encryption function in Windows 7. Called BitLocker To Go, the tool extends BitLocker data protection to flash drives, allowing them to be password-protected.

Analysts and vendors, however, point out that secure USB storage media is still necessary as BitLocker is useful only for a limited segment of users.

Gartner's Girard noted that BitLocker To Go is intended to be used mainly with the Enterprise and Ultimate editions of Windows 7. "You can only create a portable BitLocker To Go drive on Windows 7 Enterprise and Ultimate [editions].

"These drives can be accessed in read-only mode--with the BitLocker To Go Reader--on [Windows] XP and [Windows] Vista," he said.

And while BitLocker's encryption settings can be modified to FIPS compliance, the BitLocker To Go Reader application is not FIPS-compliant according to Microsoft, added Girard.

In addition, there is no support for computers with non-Windows operating systems, he said. "If your needs can be met with a primarily Windows 7-restricted product, then BitLocker To Go could serve you well.

"If you want a device that can be created, updated and managed on a wider range of platforms and features a stronger baseline encryption, then you should continue to look at alternatives," he noted.

Nathan Su, Kingston's NAND flash sales director for the Asia-Pacific region, pointed out that the BitLocker encryption is software-based, while the encryption for secure USB drives offered by Kingston and other vendors is hardware-based.

"With Kingston hardware-based flash drives, after entering the password, unencrypted files' drag-and-drop or cut-and-past [commands] are automatically encrypted by a co-processor in the protected or private zone. The encryption key is also stored on the device," he explained. "This is critical because most software-based encryption flash drives require users to install a program and use it to do the encryption."

"Not only does this mean that the encryption key is exposed to danger because of storing in computer, it also means huge potential risk from user errors," he added. "People may forget to encrypt a file before moving it to the flash drive."

SanDisk's Todress added that software encryption "is not as strong" as hardware-based encryption and ought not to be used alone. "It is wise for companies to use multiple levels of security in storing portable data," he advised, adding that SanDisk currently provides multi-level security in its products, including anti-malware and centralized management of encrypted USB storage media.