Portable security storage device could replace OTP devices

By Erin Kelly, Contributor 16 Mar 2009 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

The personal portable storage device (PPSD) is unlike older USB storage devices that function in a standalone manner. This tool has a single platform that combines the USB smart card form factor and flash memory with the ability to perform file encryption and provide smart card authentication and one-time password features.

Vendors are striving to confront the complexity and cost of the device, but its security features offer promise to enterprises looking to lock down data that leaves the company walls, said Mark Diodati, senior analyst for Burton Group.

"[The PPSD] will provide more benefits than the OTP device because it has the capabilities of an OTP, plus smart card and storage container thumb drive [features]," Diodati said.

These secure storage devices are more complex than OTP devices because they are not fully personalized before they are given to users and improvements must take place on the administrative side to ease deployment and management for end users, Diodati said.

The variety of "moving parts," such as smart card capabilities and flash card memory, and the fact that the device is a new technology, is responsible for the high cost of the encrypting tool, Diodati said.

Lawrence Reusing, CEO of PPSD device maker MXI Security, said in order to boost PPSD adoption and make it easier to use by employees, the first step is to make the devices more cost-effective, simple and deployable.

"I don't want to say [the PPSD] is going to overtake the OTP device because the low-cost OTP device has its place in the market," Reusing said. "Where PPSD becomes exciting and where it comes to take market share from OTP or expand it is customers that want to carry around a device that does much more than OTP devices."

Reusing said MXI Security is currently investing in research to create more cost-effective hardware technology and the company plans to launch new products that improve and streamline existing platforms, addressing the high price factor associated with previous devices, Reusing said.

Typical customers of the Stealth MXP product are mobile workers, consultants, and the government, Reusing said.

"The government is certainly a very large user-base for us," Reusing said. "The idea is they'll typically use our devices for not only encrypting data, but also to encrypt their laptops or maybe log into their RSA server. There are multiple security functions on the singular [PPSD] device," Reusing said.

The use of USB devices was prohibited within the Department of Defense in November after a removable storage device plugged into a USB port allowed a worm to access and inject malicious code across the federal network. Despite the ban, government agencies may be able to benefit from this new smart card and flash memory combination, Diodati said.

"Having information encrypted [on the PPSD] really overcomes a lot of the objections aimed at USB devices," Diodati said.

USB devices support only flash memory and are freely readable, lacking password protection, Diodati said. This new encrypted, portable tool protects data while in transit, so that if a laptop is stolen the data isn't compromised, he said.

The PPSD market is still new and does not have any standard vertical market, but the device is ideal for enterprises interested in strong authentication and DLP, such as the government, financial organizations and payment and mobile communication industry enterprises.

For enterprises considering acquiring PPSDs, Diodati recommends doing a cost-benefit analysis as well as taking inventory of all applications to make sure the device is compatible with them.

Users must set up an encrypted file drive, learn how to store data on it and enroll for a public key infrastructure (PKI) certificate in order to use and access the new tool, Diodati said.

"Another [recommendation] would be to implement very good recovery processes, because you'll want to recover data off devices if users terminate them or in case something else happens to it," Diodati said.

Tags: Secure User Authentication and Authorization,  Biometrics, Smart Cards, Tokens,  Enterprise Data Storage,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Single sign-on system removes password chaos at East Kent NHS Trust Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Chip and PIN adoption serves lesson for U.S. payment industry Visa probes tokens, encryption for PCI card data protection Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks How to enforce an enterprise data leak prevention policy 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary