Kanguru Remote Management Console Cloud Edition

Price: $19.95 per drive / year

Pros:   Central encryption control & logging with zero effort, remote lock/wipe & audit trail

Cons:   Limited to Windows KDE drives, user-initialized drive settings, superficial reporting

Nearly 200 million thumb drives were sold last year, placing trillions of bytes of data in pockets and purses. To prevent little lost drives from causing big breaches, employers must protect any sensitive data stored there.

Centrally-managed enterprise servers that encrypt, audit, and wipe thumb drives are increasingly common. But what about SMBs long on risk, but short on resources? To fill this gap, Kanguru recently introduced a "cloud edition" of its Kanguru Remote Management Console (KRMC). We took this turn-key public cloud service for a test drive, managing a pair of AES-encrypted Kanguru Defender Elite (KDE) thumb drives.

Getting started

When a business tackles thumb drive security, many "big picture" questions must be answered. Should one unified console be used to manage desktop, laptop, and thumb drive encryption? Should software be used to encrypt drives from anywhere or should hardware-encrypted drives be sourced from a single manufacturer?

To this end, KRMC is narrowly-targeted at Kanguru's line of encrypted thumb drives only. Specifically, KRMC Cloud Edition remotely manages Kanguru Defender Elite ($49.95/1GB) and Defender V2 ($39.95/1GB) drives used on Windows PCs. Those who need to encrypt and manage multi-vendor drives or support other OS's must look elsewhere. But for KDE customers, KRMC Cloud Edition is an easy way to enforce policy compliance on otherwise standalone devices with minimal investment.

KRMC Cloud Edition can be activated online in minutes. There is no server to harden, software to install, or DMZ firewall to open. Instead, you just purchase KRMC Cloud licenses and create an admin account at Kanguru's SSL/TLS-protected Website. After log-in, click "My Cloud" to launch an administrative Website composed of two sections: My Account and My Console.

My Account can set/change the Master Password used to seed all drives and import, assign, or release licenses. One KRMC Cloud Edition license ($19.95/year) is required for each active drive, but partially-used licenses can be reassigned (e.g., when replacing a lost drive). My Account can also assign optional anti-virus licenses ($7.95/year) to KRMC-managed drives after the included one-year subscription expires.

We found My Account intuitive and completed account setup in minutes. KRMC offers a clean easy-to-navigate Web GUI, accessible via IE, Firefox, or Safari. However, we'd like to see a few extensions: admin session logging, timeout, and IP/domain ACLs. After all, this is a sensitive service; preventing unauthorized access is crucial. Hierarchical admin is available in KRMC Enterprise software for on-premise installation, but not in the Cloud Edition.

Managing drives from the cloud

All other admin tasks are performed through KRMC My Cloud. For starters, the My Devices page delivers at-a-glance status for all Kanguru drives linked to your account. From this filtered list, you can easily find drives in a selected group, with specified attributes, or in a given state. My Devices can also kick off the same remote update or action on several drives at once (e.g., force password change or update security policy).

Filtering is not just handy – it is essential. For a complete audit trail, My Devices includes every drive ever associated with your account. But you can simplify viewing, updates, and actions by using My Groups to define and populate sets of drives. For example, we placed our currently-licensed drives in one group and deprecated drives in another. The same drive can participate in many groups, but a drive cannot be added to a group before it has been activated.

In fact, we were surprised to find that drives cannot be initialized by KRMC My Cloud. Default security policies and settings like device name or employee ID cannot be centrally-configured. Instead, end users set these by responding to wizard prompts upon first drive insertion. User settings are then relayed to KRMC over TLS. Based on those values, the admin must recognize and assign a license to each new drive. Only after reaching that point can KRMC be used to centrally re-provision security policies or initiate remote actions.

fig1-devices.jpg

This flow works, but imposes limitations. After a user initializes a drive's name or phone number, those settings cannot be changed without wiping the drive and repeating user setup. If the admin edits these settings in KRMC, those changes are over-written on next drive refresh. If a user activates the included AV license, it cannot be deactivated without Kanguru's help. After completing setup, users must wait for an admin-assigned license before a drive can be used.

For these reasons, we recommend having an admin manually initialize drives on behalf of users prior to distribution. Mid-size businesses should consider Kanguru's local administration tool to automate drive configuration. Larger enterprises should use on-premises KRMC, which integrates with Active Directory.