Government

ironkey enterprise edition

Overview

Managed Secure Mobile Storage, Strong Authentication and Portable Virtual Desktops for the Military and Government Users

USB flash drives–with their small form factors, large storage capacities, and high transfer rates–have revolutionized mobile data storage. An increasingly mobile government workforce relies on these devices to transport files when they travel, share data with co-workers and government contractors, use more than one computer, and work from home. USB flash drives also make it easy for government employees who are traveling to back up confidential files.

The challenge for government IT and security professionals becomes one of balancing the enormous productivity benefits of flash drives with the risks they pose to agencies and departments. Easily lost or stolen, flash drives pose a significant risk of data loss and leakage, which carries with it the potential cost, liability and damage to an agency’s reputation that can result from a data breach. In addition to allowing data to leave the organization, flash drives can also allow malicious code to enter, potentially infecting government PCs and networks with dangerous malware and crimeware.

Always-On AES 256-Bit Hardware Encryption, FIPS 140-2 Level 3 Validation, and Active Anti-Malware

IronKey, through research initially supported by the U.S. Department of Homeland Security, has focused on solving these critical challenges. The result is the world’s most secure USB flash. This intelligent mobile storage device combines an advanced Cryptochip that protects data with AES 256-bit encryption with an array of physical and electromagnetic defenses against intruders accessing the chips and encryption keys. In fact, the IronKey S200 series drives are the first and only USB flash drives to have passed the U.S. government’s strict testing requirements for FIPS 140-2 Level 3 validation. Active malware defense further protect the drives–and computers on which they are used–from becoming infected with viruses and worms.

Central Management, Policy-Based Remote Control, and Secure Device Recovery

However, these protections alone are not sufficient to meet the data security and compliance needs of military and government customers. That is why the IronKey solution combines advanced management server software with capabilities built into IronKey drives to enable sophisticated central management and policy-based control over fleets of drives. This advanced management includes secure device recovery and the ability to remotely disable or destroy drives that are lost, stolen or in the possession of former employees and other unauthorized users.

A Platform for Strong Two-Factor Authentication and Portable Virtual Desktops

Beyond the benefits of security and manageability, IronKey drives also comprise secure platforms for deploying portable virtual desktops. Additionally, organizations can use the onboard digital certification or solutions for RSA and other third parties to consolidate encrypted mobile storage and strong two-factor authentication in a single device.

Remote Mangement

Remote Management

Eliminate the risks posed by uncontrolled flash drives in your environment without impairing the productivity of your mobile workers. IronKey Enterprise lets you take charge of USB storage with a sophisticated management service that makes it easy to remotely administer thousands of secure IronKey drives over the Internet. Now you can enforce encryption and security policies even as users work from home.

Enterprise-Class Central Management

Establishing policies that require agency employees to use only encrypted drives is not enough to protect against data loss or to ensure compliance with various privacy regulations. An enterprise-class approach requires sophisticated management capabilities that allow administrators to easily and rapidly deploy encrypted flash drives, and then remotely manage them in the field.

The IronKey management service allows tiered administration of drives: System Administrators can designate other administrators, who can then manage users and policies on the devices.

Remotely Enforce Security Policies

Administrators can remotely enforce policies to ensure that data stored on IronKey USB drives is inaccessible to unauthorized users. This includes integration with third-party device control systems to allow only hardware-encrypted IronKey drives to mount to your agency’s PCs. This approach safeguards your critical mobile data because all data transferred to an IronKey drive is automatically protected with hardware-based always-on encryption (users cannot turn off or otherwise disable this AES 256-bit CBC mode encryption).

Remotely Terminate Drives in the Field

In the event the IronKey drive is compromised in any way–such as if a user loses the device together with a written password or an employee moves to a competitor with the device in his or her possession–administrators, over the Internet, remotely revoke access to the stored data or even tell the drive to “self destruct” its internal circuitry.

Anti-Malware

Self-Defending Flash Drives with Active Anti-Malware

Many government organizations must weigh the significant productivity benefits gained by the use of USB flash devices with the risks they can bring. Conventional USB flash drives and memory sticks provide a pathway into the organization for various types of malicious code. Unlike these unprotected devices, IronKey drives are intelligent self-defending storage devices with active malware defenses, strong, two-factor authentication (onboard certificate in hardware), onboard security co-processors, and onboard anti-virus scanning software. They are also capable of remote management, allowing IronKey to provide automated security and anti-malware updates over the Internet or corporate network–with the absolute security provided by authentication in hardware. This allows IronKey devices to provide your mobile workers with a high level of malware and crimeware protection.

IronKey has worked under contract with the U.S. Department of Homeland Security Science & Technology Directorate to research the next generation of malware and crimeware defense technologies. These include:

  • Trusted Supply Chain – IronKey manages a secure manufacturing process, ensuring that devices cannot be infected during the manufacturing process. IronKey devices are designed and assembled in the USA
  • Anti-Worm Secure AutoRun Protection – Prevents AutoRun malware such as the Conficker worm from infecting IronKey devices and corporate or government networks
  • Write Protection – A read-only mode stops malware from jumping onto an IronKey device from an untrusted PC
  • Policy-based Controls to Restrict IronKey Usage to Trusted Networks – Policy-based controls allow administrators to restrict which networks employees can use their IronKey devices on
  • Anti-Virus Scanning – IronKey has launched an industry-leading service for delivering anti-virus scanning updates to detect and remove a broad spectrum of malware from being copied onto or off IronKey drives

Authentication

Strong Authentication and Single Sign-on

Many organizations require a method to prove that network users are who they say they are. A number of solutions are available to authenticate users before they can log-on to the department or agency network, and these typically require the user to carry a Common Access Cards (CAC) or token with them. IronKey drives comprise a revolutionary platform for strong authentication, providing with the capability to combine strong encryption of mobile data with strong two-factor authentication—in a single device. This is especially useful in situations where agency personnel would otherwise be required to carry multiple authentication devices to enter different government facilities.

Password Management and Single Sign-on

IronKey devices can be configured to allow users to store and manage all their network login credentials using the onboard password manager. This advanced capability provides many of the benefits of Single Sign-On, without requiring modifications to enterprise systems.

Consolidate Encryption and Authentication in a Single Device

IronKey works with leading authentication technology providers to deliver pre-integrated solutions. These include CRYPTOCard one-time password technology, as well as the capability to generate RSA SecurID and VeriSign One-Time Passwords. IronKey Enterprise devices can hold up to RSA 50 tokens. This makes it possible to replace lanyards strung with multiple devices with a single hardened authentication device—which doubles as a secure storage device.

Onboard Digital Certificate

Each IronKey Enterprise device includes an onboard digital certificate and PKS#11 interface that enable rapid deployment of strong authentication to replace CAC in some applications.

Compliance

Compliance

IronKey develops encrypted mobile storage at the cutting-edge of technology. This includes both developing products that comply with key government and industry standards for security, performance and other criteria, as well as building comprehensive solutions designed to help customers comply with government and industry regulations.

Compliance with Standards

IronKey hardware and software products provide the highest level of protection for data stored on IronKey secure flash devices as well as host PCs and government networks. In fact, IronKey S200 devices are the only flash drives available on the market today that have passed the stringent testing requirements for FIPS 140-2 Level 3 validation. This is a key metric for judging the effectiveness and reliability of a security product, and also makes IronKey drives eligible for purchase by the military and other government agencies.

IronKey devices have been certified or validated for the following standards:

Product Certifications and Compliance
  • FIPS 140-2 Level 3 – Certificate #1149
  • FIPS 197 AES – Certificate #655 and #689, #1034
  • FIPS 186-2 RSA -Certificate #494 and #305
  • FIPS 186-2 RNG Certificate #587 and #380
  • FIPS 186-2 SHS (Certificates #986 and #987
  • FIPS 186-2 SHA (Certificates #691 and #689
  • HMAC Certificates #579 and #615
  • CCATS Certificate #G073288 and #G057590
  • MIL-STD-810F (Waterproof)
Compliance with Regulations

With new state privacy laws, industry regulations such as PCI, and updates to HIPAA and other federal mandates stemming from the HITECH act and ARRA (also known as the 2009 Stimulus Act), organizations face an increasingly stringent and more complex compliance landscape. In addition to the embarrassing public disclosures and the high costs of remediation, a privacy breach can distract IT staff from their business tasks by requiring them to constantly respond to auditors and regulators.

  • Encryption — Avoid mandatory remediation under the privacy laws of various states, including CA (SB1386), MA, NV and 12 others
  • PCI
  • HIPAA
  • Sarbanes Oxley (SOX) Section 404 requirements for confidential information

With new state disclosure laws, FISMA, and other privacy regulations, government departments and agencies face an increasingly stringent and more complex compliance landscape. In addition to the embarrassing public disclosures and the high costs of remediation, a privacy breach can distract IT staff from their primary tasks by requiring them to constantly respond to auditors and regulators.

Eliminating Compliance Risks with Managed Secure USB Drives

USB flash drives pose a unique regulatory compliance risk. Their small size makes them easy to conceal and easy to lose. The best way to mitigate this risk is by ensuring all data stored on your organization’s flash drives is encrypted. In fact, many privacy laws now either mandate encryption or provide “safe harbor” if data on a device was encrypted at the time it was lost or stolen. You cannot achieve compliance without management, which includes the ability to:

  • Know to what employee the drive was issued
  • Know when and where that person used it
  • Prove the device has not been accessed in the event it is lost or stolen

IronKey addresses compliance needs with an enterprise-class solution for protecting mobile data that combines secure hardware encrypted flash drives with central management software.

Always-on Encryption

IronKey Enterprise devices encrypt data in hardware whenever the user transfers files onto the drive. The user cannot turn off encryption or circumvent it in any way. This “always-on” encryption not only ensures that an organization’s critical data is always protected but also makes compliance with PCI and state and federal regulations virtually automatic.

The IronKey Cryptochip protects data with AES 256-bit hardware encryption (using the U.S. government’s approved algorithm for protecting Top Secret data). IronKey devices are also the first and only USB flash drives to pass the U.S. government’s strict FIPS 140-2 Level 3 criteria for cryptographic technology. The result is the strongest mobile data protection available.

Central Management and Secure Device Recovery

In addition to central management software that includes audit trails and other capabilities necessary for compliance, IronKey Enterprise provides Secure Device Recovery. This function allows administrators to recover the contents of a drive if the end-user loses the drive, or leaves the agency with it, thereby helping to maintain and prove custody of data stored on a drive. There are no back doors to this device recovery system. The central IronKey management server also allows you to revoke Admin status if the administrator leaves the agency.

Virtualisation

IronKey Desktop Virtualization Solutions

From allowing employees to work at home on their own PCs to providing continuity of operations in the event of a disaster, portable virtual desktops offer a number of advantages over fully loaded conventional PC desktops. IronKey enables you to securely deliver a range of virtual solutions–from virtualized applications to complete virtual work environments on USB flash drives.

Deploying virtual desktops on secure IronKey drives means your employees can carry their working environment with them and use it securely anywhere they go. This preserves your organization’s investment in PCs while making it possible to safely leverage employee-owned machines–or even untrusted machines in the field. It also provides a more secure mobile computing platform than laptop PCs, which, if encrypted at all, are typically protected with software-based encryption.

Managed and Secure Portable Virtual Desktops

IronKey gives virtualization new levels of security and mobility by enabling organizations to securely deliver complete desktop environments on ultra-secure, remotely managed USB flash drives. IronKey supports a continuum of portable client virtualization solutions–ranging from portable applications, to virtual desktops and bootable USB flash drives, which make it possible to run Windows or Linux from an IronKey drive.

The IronKey virtualization solution allows end users to access a personalized desktop–complete with applications and data–without jeopardizing the security of department or agency data. All applications, data and user preferences are protected within the security of the hardware-encrypted IronKey intelligent flash drive. Users launch applications directly from within this security shell. The IronKey drive also provides onboard anti-malware protections to protect data against theft by crimeware, and prevent the spread of malware to enterprise networks.

Unlike conventional virtual desktop infrastructures, which must read and write data from a centralized server over a network connection, users can access this self-contained work environment from any location–with or without a network connection. By eliminating the need to communicate over the network, the IronKey solution also provides improved performance for a transparent user experience.

Additionally, bootable IronKey drives make it simple and easy to migrate legacy Microsoft Windows XP applications to Windows Vista and Windows 7.

A Highly Reliable Platform for Portable Virtual Desktops

Virtual desktops do not perform well on conventional consumer-grade flash drives. The need to continuously read and write to the host slows performance and wears out regular flash memory. IronKey offers customers the choice of high-performance, high-reliability drives that employ superior NAND flash memory. IronKey hardware encryption is also much faster than software encryption, helping to make the virtual desktop experience transparent to end-users.

Additionally, because IronKey drives are intelligent, remotely managed, and contain hardware-based strong authentication capabilities, you can authenticate both users and their IronKey devices before allowing them to access your network.