Out in the field

So, what does an end user see when he/she inserts a KRMC Cloud-managed thumb drive? Each Kanguru Defender Elite is a USB flash drive containing FIPS-validated 256-bit AES crypto and filled with epoxy to deter physical tampering. Users can insert this thumb drive into any USB 1.1 or 2.0 port on Windows XP, Vista, 7, 2000, or Server 2003 PCs (32 or 64-bit).

Upon inserting a factory-fresh drive, a wizard runs to carry out setup Q&A. Here, the user can optionally enable KRMC Cloud Management and/or on-device AV scanning. So long as the PC has outbound TLSv1 access to the Internet, the drive will find and register with the Cloud. Users do not need to supply account credentials or IP addresses. However, after an activated drive has been remotely-wiped, it cannot be reused as a standalone drive without a return trip to Kanguru.

No admin privileges are needed to run the wizard or use an activated drive. The PC treats the drive as if it were a read-only CD, using auto-run to kick off a password prompt that unlocks the drive. A pop-up virtual keyboard can be used to defeat keyloggers when unlocking the drive on public PCs. Note that Kanguru uses on-chip password matching to avoid the authentication intercept bug that bit some other flash drives earlier this year.

Successful login opens an encrypted volume on the drive, letting users freely create, edit, copy, and delete the folders and files stored there. On-premises KRMC can be coupled with USB device control to limit and log movement of folders/files between workstations and thumb drives – but this add-on is not yet available for KRMC Cloud.

Files on the encrypted volume are enciphered and deciphered on the fly. However, users must be careful to use the system tray icon to unmount the volume for safe drive removal. Forgetting to do so not only triggers a warning message – a few times, we lost the last file dragged onto the drive right before it was yanked.

In the penalty box

What happens when password entry fails? That depends on each drive's (re)provisioned security policy. Using KRMC Cloud, the admin can specify a failure limit – hitting the limit displays a warning; exceeding it triggers an immediate admin-defined action. A lockout period (1,2,5,10 or 30 minutes) can be applied during which a countdown is displayed until the "password submit" button is once again active. Alternatively, the drive can be automatically disabled or wiped – disable preserves the drive's contents, but requires admin action to restore access.

KRMC Cloud can also control whether drives can be unlocked for use without Internet access. Normally, inserting the drive causes it to silently "phone home" over the TLSv1 to KRMC Cloud, authenticating itself with a drive certificate and checking for pending admin actions. If KRMC Cloud is unreachable, drive access can be blocked. However, if the admin chooses, access can be permitted when KRMC Cloud is unreachable (for example, a drive inserted mid-flight). Limiting how many times a drive can be used before checking back in would be a welcome enhancement.

If on-drive AV was activated during setup, signature files are also updated upon insertion. Although AV (and these updates) cannot be deactivated, the user can disable real-time scanning or initiate an on-demand scan of drive folders/files. On-drive AV sounds like a good thing – especially for drives used on sketchy public or home PCs. However, we found this AV rather intrusive. Initializing AV after drive activation took a good 20 minutes. Thereafter, pop-up messages nattered on about signature updates succeeding/failing after every insertion.

In our view, on-drive AV would be more effective if it were invisible. Additionally, we would like to be able to prevent user disablement of real-time AV (or at least log those events). Along the same lines, KRMC Cloud can remotely reprovision and enforce policies governing password length, strength, and update frequency. But we would like to see a log record whenever the user DOES change his/her drive password, as well as enforcement that any newly-entered password actually differs from the old password.

Taking action

The most powerful controls offered by KRMC Cloud Edition are remotely-initiated actions. KRMC actions cover everything from displaying a message to end users to remotely wiping drives. Actions can be invoked on one drive or many, to be executed immediately or at some scheduled date/time. Once launched, each action stays pending indefinitely, until it is either executed (when a drive "phones home") or cancelled by the admin. Note that scheduling an action for 9am tomorrow means that it will run if the drive is connected at 9am tomorrow, or when next inserted after 9am tomorrow.

Invoking a Disable action remotely locks the target drive before optionally displaying a custom message to the user. No one can successfully re-enter the password to unlock a disabled drive until the admin performs an Enable action. For example, if a drive is lost, the Disable action might display a phone number to call to return it. Although Disable cannot take effect until the drive is re-inserted, it will always take effect before the drive is successfully unlocked -- unless offline use has been permitted.

Actions can also remotely Delete All Data on a target drive, with or without Disabling the drive at the same time. Deleting All Data wipes and reformats the encrypted volume only. If not accompanied by Disable, the user can just complete the setup wizard again to reactivate the (now empty, but still licensed) drive. However, adding Disable to Delete requires another admin action to enable the drive before it can be reactivated.

Note that Delete does NOT actually reformat the drive's root – settings used by KRMC Cloud to recognize the drive remain there. Admins must be aware of this when re-issuing drives to new users. For example, a reactivated drive retains past Group memberships and is still associated with past log records, even if the new user assigns the drive a different name during setup. However those past log records will now appear in the audit log with the drive's new name.

Other actions that can be initiated remotely through KRMC Cloud include:

  • Refresh – Use this to query user-configured settings before applying a license to a newly-registered drive.
  • IP/Domain Control – Use this to limit where a drive can be unlocked by defining or appending specified IP address ranges or domains to an ACL.
  • Reprovision – Use this to push admin-configured policies to the drive, including password length, composition, update frequency, offline use, and login failure consequences.

These actions can play a vital role in thumb drive security. For example, they could be used to remotely delete and disable a drive carried by an ex-employee, or to prevent a lost drive from being used offsite. KRMC Cloud makes it easy to see how many actions are still pending, and for which drives. Log records are also generated when actions are added and completed, providing an audit trail. But remember that actions cannot be completed on drives that are never re-inserted or given Internet access to "phone home" – this is why permitting offline use is a calculated risk.