• 
• Business
• Enterprise Apps
• Hardware
• Internet
• Networking
• Productivity Apps
• Security
• Software Dev
• Storage
• IT Weekly

More Related Stories

Interview: Page (1) of 1 - 03/14/06

email article print       

Kingston Technology's Mark Leathem on USB drive security

Company introduces first USB flash drive with 128-bit AES Encryption

By John Virata

The USB flash drive, those little storage devices that blazed their way onto the computer storage scene in the Summer of 2001 have changed the way people store and move digital data. The devices are wildly popular and have reached such a critical mass that you can find them for sale at your local drug store. While there has been movement on the software front to make the drives more useable, there hasn't been too much movement on the hardware front. Until now. While USB flash drives have gained in popularity, the very notion of their mobility has sent shivers down the spine of anyone who is tasked to protect a company's data security. Kingston Technology has made a move with USB flash drives that it hopes IT security types will embrace in their quest to protect confidential information.

In an interview at Kingston headquarters in Fountain Valley, California and via email, DMN executive editor John Virata spoke with Mark Leathem, director of digital media business development at Kingston, about Kingston's latest device, the Kingston DTE Privacy Edition, a USB flash drive with hardware based 128-bit AES encryption. Here is what he had to say.

DMN: With the advent of the ubiquitous USB flash drive, how vulnerable are companies to data theft? Are there statistics of data theft among, say the Fortune 1000?

Mark Leathem: Data theft is on the rise, particularly from internal threats due to the widespread use of personal storage devices including USB drives. Many organizations have hundreds of megabytes of critical information stored on personal drives that are potentially at risk to loss or theft. In its 2005 Global Security Survey, Deloitte Touche Tohmatsu found that 35 percent of the Fortune Financial 100 companies surveyed reported attacks from an internal source, compared to 14 percent in 2004, and 10 percent in 2003.

The American Society for Industrial Security/PriceWaterhouseCoopers 1999 Trends in Proprietary Loss survey reported that Fortune 1000 companies suffered more than $45 billion in losses due to theft of proprietary information. To assess how vulnerable companies are to data theft, all you need to do is look at the recent headlines. What do Time Warner, Lexis-Nexis, ADP, and Bank of America all have in common? They all suffered breaches in customer data security in 2005. The impact of these data breaches ? with regards to loss of customer confidence and brand value ? while difficult to measure, can be particularly devastating.

DMN: Kingston's latest drive, the DTE Privacy Edition, uses hardware based security features to address the threat of data theft. How many levels of security are built into the device?
ML: Kingston DTEP drive is the first USB drive that is 100 percent private. What this means is that all data saved to the device is automatically encrypted on the fly, with no additional IT or user intervention. The drive features 128-bit AES hardware encryption. The benefit of hardware based encryption is two-fold. First off, it ensures that the encrypting does not take place in what is essentially the public domain (using the CPU and RAM ) making it open to software ( Malware, Trojans ) looking for traces of the activity; further, on the hardware side, the RAM itself is a potential weak link. Secondly, it doesn?t require a user to download any special software for de encryption. In addition to this hardware-based encryption, the drive features several other advanced security measures, including a complex password protocol and a mechanism that locks out would-be attackers after 25 consecutive failed password attempts, ensuring information is accessible only by authorized users.

DMN: Can you explain the notion of "Brute Force Attack?"
ML: "Brute Force Attack" is the use of software programs and other tools to exhaustively work through all possible encryption keys, or cryptographic algorithms, in order to decrypt a password or message. In addition to hardware-based encryption, the DTEP drive features several other advanced security measures, including a complex password protocol and a mechanism that locks out would-be attackers after 25 consecutive failed password attempts, ensuring information is accessible only by authorized users, and thwarting these ?brute force attack? attempts to access data on lost or stolen devices.

DMN: The DTE Privacy Edition drives are password secured for up to 25 attempts. After the 25th failed attempt to access the data on the drive, what happens to the drive physically and is the data still retrievable?
ML: After the 25th failed attempt to access data on the drive, it shuts down completely. The only way to access the drive is to reformat it, which wipes the drive clean.

DMN: How can IT administrators log what is being saved to the drive? Is that technology currently available with a device such as the DTE Privacy Edition, or are we looking further down the road?
ML: Look for a new offering from Kingston later this year that will enable IT administrators to monitor what is being saved to DTE Privacy Edition. We recognize that this is an emerging market need ? as companies need audit trails to track where data is going within the organization, so it is definitely on our roadmap.

DMN: Will a company that employs DTE Privacy Edition drives across the enterprise be able to configure their computer systems to only accept those USB drives that it has approved?
ML: Kingston Technologies will soon be announcing an agreement with a provider of end-point security solutions that will resell Kingston's DTE Privacy Edition bundled with a port management software package that controls connectivity among peripheral devices and desktops and laptops, enabling IT managers to set granular policies dictating which devices ? via type, model, and unique serial number ? can be used within the organization , and/or for any particular domain, department, computer, or user.