MXI Security Stealth ZONE Secure USB Desktop


Price:  $479 (on 8GB M500 drive)
Pros:   Fast, host-adaptable, many auth options, scalable provisioning, multi-user support

Cons:  No usage tracking, secure data partition inaccessible, wipe requires management server

Many workforces could benefit from trusted computing environments that are safe, portable, and carry along each user's personality (i.e., files, apps, settings). Gartner divvies available solutions into two broad categories: device-based (e.g., PC-on-a-stick, virtual machine) and portal-based (e.g., virtual desktop, cloud service).


But using these solutions can present thorny challenges. A host-installed VM isn't very portable. A cloud service can't be used offline. And PC-on-a-stick can be slow and incompatible with host hardware. With Stealth ZONE Secure USB Desktop, MXI addresses the latter, using an encrypted flash drive with speedy BlueFly processor to boot a PC-adapted, IT-customized Microsoft Windows Embedded Standard image.

The Stealth ZONE's objective: Carry your own self-contained, IT-managed, trusted environment on a flash drive that lets you work safely and effectively on any PC without threat exposure or data leakage. During this review, we used a Stealth M500 USB with Stealth ZONE to run our own trusted desktop on several enterprise, personal, and public PCs with very few glitches.

Under the covers

Portable secure storage runs the gamut from BYO-USB software (e.g., EncryptStick) to purpose-built hardware (e.g., Kanguru Defender). Stealth USB drives fall in the latter camp, delivering chip-based FIPS 140-2 Level 3 AES crypto, NIST SP 800-56A pairwise key exchange, and multi-factor authentication options. All Stealth drives are tamper evident and dust/waterproof; some even have metal enclosures.

Stealth ZONE Secure USB Desktop builds on this Stealth drive foundation. We tested Stealth ZONE v0.9 beta with password authentication on a 16 GB M500 drive (MSRP $559). For an on-board fingerprint reader, run Stealth ZONE on an MXP Bio drive, enabling two or even three-factor authentication (e.g., PKI token, RSA SecurID soft token, OATH OTP). All Stealth drives can optionally be paired with Common Access Card (CAC) or Personal Identity Verification (PIV) card readers; MXP drives even have dedicated X.509 certificate key containers.

Stealth drives can be IT-administered using MXI provisioning and management products – most notably ACCESS Enterprise. We could not test ACCESS Enterprise, but evaluated how this life-cycle manager supports Stealth ZONE. Our conclusion: anything more than a small or pilot Stealth ZONE deployment really needs ACCESS Enterprise. Volume discounts and bundles tailored to each customer make a "typical MSRP" hard, but here's one example: 1000 Stealth ZONE 8GB M500 drives with ACCESS Enterprise would run about $530K.

Booting up

To use a provisioned Stealth ZONE, just plug the drive into any USB port on a host PC. BIOS options may need to be changed if the PC is not set to boot from USB – for example, moving USB ahead of HDD in the boot device list. When the PC boots from the Stealth ZONE drive, it loads a pre-authentication environment with three choices: boot a generic profile, boot an adapted profile, and enter maintenance mode.


Click to enlarge.

Choosing any profile boots up a Microsoft Windows Embedded Standard (MWES) desktop, provisioned onto the drive, personalized for each user, and safely stored in an encrypted partition. Up to ten users can share the same Stealth ZONE; pre-boot authentication loads each user's own desktop. In fact, pre-boot runs MWES from a read-only "surrogate user" partition that cannot be seen or modified by anyone. As each end-user authenticates, the surrogate unlocks an encrypted desktop partition linked to that user's account. This insulates users from each other, as well as from anyone who picks up and browses a lost USB.

We logged into pre-boot auth by password, subject to provisioned policies regarding length, complexity, etc. Depending on drive model, IT can require other pre-booth authentication methods, such as a fingerprint or CAC/PIV card swipe in combination with PIN. If a user forgets his pre-boot password, a rescue tool can reset it (when using ACCESS Enterprise, remotely).

Once the user's desktop is unlocked, the OS is booted natively – this is NOT a virtual machine, running under a hypervisor. Rather, the user's environment consists of a provisioned MWES image, largely locked down to prevent OS corruption or modification. This approach stops users and malware from relaxing security settings, installing Trojans, or making other risky changes. Every time you boot Stealth ZONE, you're guaranteed to start with the same trusted OS image – no matter where you might have used it in the past.

Adapting to hardware

Anyone who has booted from USB knows that we skipped over common hurdles. So let's start with BIOS dependencies. We tested Stealth ZONE in eight (8) hosts, including IT managed, personal, and hotel PCs. One four-year-old PC could not boot from USB at all; another hotel PC had its BIOS locked. The rest could boot Stealth ZONE from USB – two after BIOS changes. This is not a statistical sample, but offers insight into cases where Stealth ZONE could be a non-starter.

During pre-boot, choosing the generic profile is the fastest way to load a desktop environment. Delay was more obvious on faster CPUs, but we found booting and running from Secure ZONE almost as fast as booting/running from HDD on most PCs.

The generic profile is ideal for booting on public PCs, except that almost everything we'd do there requires Internet access and that profile does not load drivers for machine-specific devices like network adapters and video cards. Thankfully, the generic profile offers one option – enable network support – which causes Stealth ZONE to auto-detect and load drivers for that PC's network adapters. The resulting connections aren't persistent; they won't be there the next time you boot. This option is an excellent compromise between having no Internet access and delay incurred by full-blown host adaptation.

Read page 2 of 2.