Lexar Locks Down USB Storage

Digital media specialist Lexar has stepped into the storage arena with a USB device it claims will help enterprises and government agencies lock down critical data. (See Lexar Ships SAFE PSD.)

Lexar today introduced the enterprise SAFE PSD 1100 to its range of personal Flash drives. The device is designed to address growing user concern about removable media. (See VA Reports Massive Data Theft, Los Alamos Fallout Continues, NASA Goes to the Dark Side, and Houston, We've Got a Storage Problem.)

Akil Houston, Lexar's senior product marketing manager, told Byte & Switch that his firm is taking a significantly different security approach to the competition, which incldues established USB players such as Kingston Technology and SanDisk, which recently acquired msystems. (See Kingston Intros Drives and SanDisk Buys msystems.)

Other USB vendors, says Houston, typically use software within their devices to access a feature within Windows called "autorun". This enables the device to automatically access the operating system when it is plugged into a laptop or a PC, although there is concern that autorun could be used by a crafty hacker to slip malware and viruses into an organization. (See Social Engineering, the USB Way.)

Lexar's 1100, on the other hand, does not rely on pre-loaded autorun software. "In order to use the device, it needs a device driver that is downloaded through Windows update via the Internet," says Houston. "Once the driver is installed, you have to provide a password."

SanDisk did not respond to Byte and Switch's request for comment and Kingston Technology's security expert was unavailable when we tried to contact him today.

Analysts agree that users are looking for new ways to lock down vulnerable storage media. "I think it's a good idea, we definitely need more granular control on PCs," says John Pescatore, vice president at Gartner.

"Autorun can certainly be used in a social engineering-type attack when someone loads malicious software onto a USB stick -- it can happen," adds Jonathan Singer, an analyst at Yankee Group.

The problem is that end-users cannot always be trusted to use their common sense, warns Russ Cooper, director of managed security services specialist CyberTrust. "We have heard stories about people dropping thumb drives in the parking lot outside of sensitive facilities to see if people will download them," he explains.

The 1100 device uses 256-bit encryption to lock down its data, and Lexar has also integrated the product with SecureWave's Sanctuary Device Control software, which monitors and audits USB devices. See Healthcare Firm Secures USB, A-Listing Your Apps, and Software Secures Against USB Slurpers.)

At the moment, though, the 1100 is lagging well behind its rivals in the capacity stakes. The device is only available in 1-Gbyte and 2-Gbyte versions, priced at $64 and $115, unlike Kingston Technology and SanDisk, which also offer 4-Gbyte enterprise products.

Undeterred, Lexar's Houston told Byte & Switch that many firms are wary of putting too much data into their employees' hands. "It's not necessarily the case that the enterprise would want their employees to have 4 or 8 Gbytes of removable storage," he says, adding that this is deemed too much of a risk by many firms.

Sadly, Byte & Switch was unable to pin down any 1100 early adopters to ask them about this. Houston, for his part, did not know how many end-users have so far deployed the 1100, which is being sold via resellers.

At least one analyst told Byte and Switch that the real portable media challenge for CIOs and IT managers is more about people than technology. "You still need policies," says John Blossom, president of analyst firm Shore Communications, highlighting the need for passwords to be carefully monitored. "If you have a secure legal document going from point A to point on this device, it doesn't prevent the information from leaking out."

Clearly, many firms still have little understanding of how their portable storage media is being used. Earlier this year, for example, nearly half of the respondents to a survey by Byte & Switch's sister publication, Dark Reading revealed that they have no clearly-stated policy for the use of portable storage devices.

Analyst firm Input says that spending on portable storage security is on the rise following a slew of high-profile snafus at organizations such as the Department of Veterans' Affairs. (See Portable Problems Prompt IT Spending and The Portable Puzzle.)

— James Rogers, Senior Editor, Byte and Switch