That's because the latter is an extensive, time-consuming process that produces persistent results: an adapted profile for each machine (see below). The good news: Adaptation is heavily automated, requires no PC knowledge, and renders each PC as usable as if you were booting from HDD. The bad news: Our adaptations ran from 20 minutes to over an hour, required multiple user interactions, and would not complete on one of the PCs where we could pre-boot.

SZfig2-adaptation_sm.jpg

Click to enlarge.

Host adaptation is very powerful (even essential) for using Stealth ZONE on the same PC repeatedly – such as working on home PCs shared by family members who download who-knows-what. But note that each Stealth ZONE can only be adapted to a limited number of machines, shared by all users of that drive, selected from a list displayed during pre-boot.

Customizing desktops

But how do you enable IT changes to each Stealth ZONE desktop environment, like installing desired business apps, applying Active Directory group policies, updating anti-malware signatures, and installing OS patches? After all, a useful trusted computing environment requires a lot more than an off-the-shelf OS image.

This is where maintenance mode comes into play. When users boot a generic or adapted profile, recall that they boot a read-only OS image. If a user has permission to install an app or write a file to C: or configure Wi-Fi settings, those changes won't be there after reboot. In fact, the only changes that persist across reboot are those written to the user's Documents and Settings folder.

However, when a user boots up in maintenance mode, these "write filters" are disabled, making it possible to install apps or printers, create folders and files in other locations, change registry keys, etc. When that user next reboots using a generic or adapted profile, those apps and printers and folders will all still be there.

We used maintenance mode to customize our desktop and install several apps. Our Stealth ZONE was supplied with a single Windows user: administrator, no password. Thus, we had free reign to install anything in maintenance mode. In real life, IT would configure a Stealth ZONE with real user accounts (possibly from Active Directory) and appropriate policies, thereby controlling changes that each user can make in maintenance mode. In short, users can do the same things when logged into Windows, whether booted from HDD or Stealth ZONE maintenance mode.

Thinking big

Manually refining a default image in maintenance mode may be ok for small deployments. Our Stealth ZONE arrived with MWES, Microsoft Office 2003, Adobe Acrobat Reader, QuickTime, and SilverLight installed. That suited us, although we were surprised to learn that MWES is the only supported OS. Microsoft does not currently allow any other OS to be booted from MWES, so you cannot (yet) create a portable Windows 7 Enterprise desktop using Stealth ZONE.

However, MWES is now being sold to the government and public sectors; it will eventually be rolled out to enterprises too. These can be very large organizations, with hundreds or thousands of users. How would you provision and manage that many Stealth ZONEs using maintenance mode?

You wouldn't. Stealth ZONE fits into a scalable infrastructure which uses a hardware appliance for bulk provisioning and ACCESS Enterprise for life-cycle management. In this process flow, maintenance mode is only used for creating an organization's "golden image" on a factory-fresh drive and as-needed per-drive tweaks.

  • The provisioning appliance is a Linux server that imports a locked Stealth ZONE golden image to provision up to 28 USB drives in parallel. The appliance produces cloned drives that are encrypted with 256-bit AES and locked with a pre-issuance password to deter tampering and piracy. Only admins with that password can unlock cloned drives when the time comes to issue and personalize them using ACCESS Enterprise.
  • ACCESS Enterprise is server software used to centrally-initialize, issue, manage, and (eventually) recycle Stealth drives, including those running Stealth ZONE. First, policies are configured into ACCESS Enterprise (e.g., pre-boot password rules). Second, provisioned drives are issued to users who complete device registration and initialization. Finally, each user personalizes his device by enrolling a pre-boot user account and credentials (e.g., password, fingerprint, PIN). Now the Secure USB desktop is ready for use.

Our set-up differed because we did not test ACCESS Enterprise. Instead, we received a drive provisioned with a default beta image. We mounted that drive's secure storage partition, ran a personalization wizard (below), entered a supplied surrogate password, and completed a custom initialization process where we had a chance to fiddle with default policies before completing single-user account enrollment. Thereafter, we had no way of changing policies or recycling our own drive because such tasks can only be completed using ACCESS Enterprise.

SZfig3-personalize_sm.jpg

Click to enlarge.

This is why we think that most Stealth ZONE deployments will need to invest in ACCESS Enterprise. Organizations concerned enough about security to invest in Stealth ZONE probably want to control their own images and pre-boot policies and recycling, as well. ACCESS Enterprise is also needed by those who want to initialize per-user credentials, such as digital certificates or RSA SecurID soft tokens and report on issued devices/users. We noted that ACCESS Enterprise does not currently provide on-going Stealth ZONE usage logging or remote kill, but MXI said these important features are already being added to next month's release.

Reading the fine print

By combining Stealth ZONE with Stealth drives, ACCESS Enterprise, and a provisioning appliance, MXI has assembled several essential pieces into a fairly cohesive whole. However, there are nuances about running a Secure USB Desktop that might not jump out until you use one.

For example, injecting pre-boot authentication can mean that users must log in twice, using different accounts and credentials. On most PCs, we logged into pre-boot using the Stealth ZONE password created during drive personalization. We then logged into MWES using a Windows account password. But one laptop required pre-boot fingerprint authentication, using that PC's embedded reader. There we had to swipe a finger before entering our Stealth ZONE pre-boot password, then swipe a finger again before entering our MWES password. Cases like these must be considered when deciding what authentication(s) to require for pre-boot and how to reduce logins. For example, MWES login could use a certificate stored securely on the Stealth drive to be user-transparent. Although MXI has an Enterprise Single Sign On solution, it does not currently apply to Stealth ZONE.

Note that, when booting from USB, you cannot use that drive as a secure portable storage device. When we inserted our M500 into an already-booted laptop, we could unlock and drag-and-drop files onto its encrypted data partition. However, when booted from our M500, that partition could not be mounted or unlocked. This is said to inhibit data leakage by preventing users from dragging files to and from other PCs, but users will just find other ways to move files – like email or another USB stick.

When carrying a portable secure desktop, users will want some data to persist. For example, if Outlook is used to sync with a Microsoft Exchange server, users probably want attachments to remain (e.g., for offline use). If users add favorites to Internet Explorer, they should stick around. Stealth ZONE meets both of these needs because the affected files are stored in the writable user tree. But what if you frequently use a site that needs a new version of Flash or Acrobat or your Wi-Fi requires a password? Sorry – you must use maintenance mode for these changes to persist.

Stealth ZONE insulates users from threats posed by each PC (including files stored on that machine's HDD). Not only won't malware jump onto your USB, but your USB won't leave temp files behind on the PC. But what about temporary malware exposure inside a secure desktop environment, during any given session? To address this concern, MXI sells an optional on-board anti-virus scanner for Stealth drives (including Stealth ZONE). We did not test this option, but believe some type of persistently-updatable anti-malware is essential for all Stealth ZONE deployments.

This brings us to the question of on-going desktop maintenance. According to MXI, any update to the MWES OS would be done using Microsoft System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS) in the usual fashion. For example, OS patches would be downloaded to a WSUS server and pushed to deployed desktops. However, application updates (like anti-malware) must be done as administrator in maintenance mode using SCCM.

Finally, Stealth ZONE claims to use each PC's keyboard, mouse, and monitor (but not HDD) without adaptation. However, our Stealth ZONE had trouble detecting a Logitech wireless keyboard/mouse when booting from one docked laptop. On the other hand, Stealth ZONE's secure pairwise key exchange deters USB replay and MitM attacks, which can be significant threats on public PCs.

In a nutshell

We tested a beta Stealth ZONE that was surprisingly stable, generating just two obvious bugs (a spurious disk error and one PC that just couldn't boot MWES). Overall, hardware compatibility was better than expected, but not entirely without room for improvement. We were unable to test MXI's management offerings, but provisioning and initialization flows appear to be well thought out. ACCESS Enterprise updates will soon backfill the biggest management gaps we noted: usage reporting and remote wipe. A cloud service to make these available in small deployments would be a nice addition.

Security features and supported permutations (especially authentication methods) appear robust. However, it is easy to get lost in a maze of models and features; prospective customers should work with MXI to clearly identify needs and match them to drives and other options. Finally, Stealth ZONE's exclusive tie to MWES could be a barrier for organizations that can't or don't want to support that OS.

Ultimately, we found using Stealth ZONE fast and efficient – enough so that many teleworkers and travelers and other offsite workers would probably use this Secure USB Desktop without complaint. Network connections are easy. Cameras and microphones and good quality video are available, given enough time to run adaptation. Applications run well and preserve essential user data, although browser plug-ins won't persist without a trip into maintenance mode. Oh – and all of this is done safely, so that users don't have to worry about dropping their Stealth ZONE in a parking lot or conducting financial transactions on a hacked PC. We think this is a pretty compelling case for many businesses and worthy of risk vs. cost analysis.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has been involved in mobile workforce policy development and best practices, ranging from wireless/VPN security to portable data defenses.

Find more reviews here.

 Follow eSecurityPlanet on Twitter @eSecurityP.