Establishing Digital Trust: Don't Sacrifice Security for Convenience
Price: $19.95 per drive / year
Pros: Central encryption control & logging with zero effort, remote lock/wipe & audit trail
Cons: Limited to Windows KDE drives, user-initialized drive settings, superficial reporting
Nearly 200 million thumb drives were sold last year, placing trillions of bytes of data in pockets and purses. To prevent little lost drives from causing big breaches, employers must protect any sensitive data stored there.
Centrally-managed enterprise servers that encrypt, audit, and wipe thumb drives are increasingly common. But what about SMBs long on risk, but short on resources? To fill this gap, Kanguru recently introduced a "cloud edition" of its Kanguru Remote Management Console (KRMC). We took this turn-key public cloud service for a test drive, managing a pair of AES-encrypted Kanguru Defender Elite (KDE) thumb drives.
When a business tackles thumb drive security, many "big picture" questions must be answered. Should one unified console be used to manage desktop, laptop, and thumb drive encryption? Should software be used to encrypt drives from anywhere or should hardware-encrypted drives be sourced from a single manufacturer?To this end, KRMC is narrowly-targeted at Kanguru's line of encrypted thumb drives only. Specifically, KRMC Cloud Edition remotely manages Kanguru Defender Elite ($49.95/1GB) and Defender V2 ($39.95/1GB) drives used on Windows PCs. Those who need to encrypt and manage multi-vendor drives or support other OS's must look elsewhere. But for KDE customers, KRMC Cloud Edition is an easy way to enforce policy compliance on otherwise standalone devices with minimal investment.
KRMC Cloud Edition can be activated online in minutes. There is no server to harden, software to install, or DMZ firewall to open. Instead, you just purchase KRMC Cloud licenses and create an admin account at Kanguru's SSL/TLS-protected Website. After log-in, click "My Cloud" to launch an administrative Website composed of two sections: My Account and My Console.
My Account can set/change the Master Password used to seed all drives and import, assign, or release licenses. One KRMC Cloud Edition license ($19.95/year) is required for each active drive, but partially-used licenses can be reassigned (e.g., when replacing a lost drive). My Account can also assign optional anti-virus licenses ($7.95/year) to KRMC-managed drives after the included one-year subscription expires.
We found My Account intuitive and completed account setup in minutes. KRMC offers a clean easy-to-navigate Web GUI, accessible via IE, Firefox, or Safari. However, we'd like to see a few extensions: admin session logging, timeout, and IP/domain ACLs. After all, this is a sensitive service; preventing unauthorized access is crucial. Hierarchical admin is available in KRMC Enterprise software for on-premise installation, but not in the Cloud Edition.
Managing drives from the cloud
All other admin tasks are performed through KRMC My Cloud. For starters, the My Devices page delivers at-a-glance status for all Kanguru drives linked to your account. From this filtered list, you can easily find drives in a selected group, with specified attributes, or in a given state. My Devices can also kick off the same remote update or action on several drives at once (e.g., force password change or update security policy).
Filtering is not just handy it is essential. For a complete audit trail, My Devices includes every drive ever associated with your account. But you can simplify viewing, updates, and actions by using My Groups to define and populate sets of drives. For example, we placed our currently-licensed drives in one group and deprecated drives in another. The same drive can participate in many groups, but a drive cannot be added to a group before it has been activated.
In fact, we were surprised to find that drives cannot be initialized by KRMC My Cloud. Default security policies and settings like device name or employee ID cannot be centrally-configured. Instead, end users set these by responding to wizard prompts upon first drive insertion. User settings are then relayed to KRMC over TLS. Based on those values, the admin must recognize and assign a license to each new drive. Only after reaching that point can KRMC be used to centrally re-provision security policies or initiate remote actions.
This flow works, but imposes limitations. After a user initializes a drive's name or phone number, those settings cannot be changed without wiping the drive and repeating user setup. If the admin edits these settings in KRMC, those changes are over-written on next drive refresh. If a user activates the included AV license, it cannot be deactivated without Kanguru's help. After completing setup, users must wait for an admin-assigned license before a drive can be used.
For these reasons, we recommend having an admin manually initialize drives on behalf of users prior to distribution. Mid-size businesses should consider Kanguru's local administration tool to automate drive configuration. Larger enterprises should use on-premises KRMC, which integrates with Active Directory.
Out in the field
So, what does an end user see when he/she inserts a KRMC Cloud-managed thumb drive? Each Kanguru Defender Elite is a USB flash drive containing FIPS-validated 256-bit AES crypto and filled with epoxy to deter physical tampering. Users can insert this thumb drive into any USB 1.1 or 2.0 port on Windows XP, Vista, 7, 2000, or Server 2003 PCs (32 or 64-bit).
Upon inserting a factory-fresh drive, a wizard runs to carry out setup Q&A. Here, the user can optionally enable KRMC Cloud Management and/or on-device AV scanning. So long as the PC has outbound TLSv1 access to the Internet, the drive will find and register with the Cloud. Users do not need to supply account credentials or IP addresses. However, after an activated drive has been remotely-wiped, it cannot be reused as a standalone drive without a return trip to Kanguru.
No admin privileges are needed to run the wizard or use an activated drive. The PC treats the drive as if it were a read-only CD, using auto-run to kick off a password prompt that unlocks the drive. A pop-up virtual keyboard can be used to defeat keyloggers when unlocking the drive on public PCs. Note that Kanguru uses on-chip password matching to avoid the authentication intercept bug that bit some other flash drives earlier this year.
Successful login opens an encrypted volume on the drive, letting users freely create, edit, copy, and delete the folders and files stored there. On-premises KRMC can be coupled with USB device control to limit and log movement of folders/files between workstations and thumb drives but this add-on is not yet available for KRMC Cloud.
Files on the encrypted volume are enciphered and deciphered on the fly. However, users must be careful to use the system tray icon to unmount the volume for safe drive removal. Forgetting to do so not only triggers a warning message a few times, we lost the last file dragged onto the drive right before it was yanked.
In the penalty box
What happens when password entry fails? That depends on each drive's (re)provisioned security policy. Using KRMC Cloud, the admin can specify a failure limit hitting the limit displays a warning; exceeding it triggers an immediate admin-defined action. A lockout period (1,2,5,10 or 30 minutes) can be applied during which a countdown is displayed until the "password submit" button is once again active. Alternatively, the drive can be automatically disabled or wiped disable preserves the drive's contents, but requires admin action to restore access.
KRMC Cloud can also control whether drives can be unlocked for use without Internet access. Normally, inserting the drive causes it to silently "phone home" over the TLSv1 to KRMC Cloud, authenticating itself with a drive certificate and checking for pending admin actions. If KRMC Cloud is unreachable, drive access can be blocked. However, if the admin chooses, access can be permitted when KRMC Cloud is unreachable (for example, a drive inserted mid-flight). Limiting how many times a drive can be used before checking back in would be a welcome enhancement.
If on-drive AV was activated during setup, signature files are also updated upon insertion. Although AV (and these updates) cannot be deactivated, the user can disable real-time scanning or initiate an on-demand scan of drive folders/files. On-drive AV sounds like a good thing especially for drives used on sketchy public or home PCs. However, we found this AV rather intrusive. Initializing AV after drive activation took a good 20 minutes. Thereafter, pop-up messages nattered on about signature updates succeeding/failing after every insertion.
In our view, on-drive AV would be more effective if it were invisible. Additionally, we would like to be able to prevent user disablement of real-time AV (or at least log those events). Along the same lines, KRMC Cloud can remotely reprovision and enforce policies governing password length, strength, and update frequency. But we would like to see a log record whenever the user DOES change his/her drive password, as well as enforcement that any newly-entered password actually differs from the old password.
The most powerful controls offered by KRMC Cloud Edition are remotely-initiated actions. KRMC actions cover everything from displaying a message to end users to remotely wiping drives. Actions can be invoked on one drive or many, to be executed immediately or at some scheduled date/time. Once launched, each action stays pending indefinitely, until it is either executed (when a drive "phones home") or cancelled by the admin. Note that scheduling an action for 9am tomorrow means that it will run if the drive is connected at 9am tomorrow, or when next inserted after 9am tomorrow.
Invoking a Disable action remotely locks the target drive before optionally displaying a custom message to the user. No one can successfully re-enter the password to unlock a disabled drive until the admin performs an Enable action. For example, if a drive is lost, the Disable action might display a phone number to call to return it. Although Disable cannot take effect until the drive is re-inserted, it will always take effect before the drive is successfully unlocked -- unless offline use has been permitted.
Actions can also remotely Delete All Data on a target drive, with or without Disabling the drive at the same time. Deleting All Data wipes and reformats the encrypted volume only. If not accompanied by Disable, the user can just complete the setup wizard again to reactivate the (now empty, but still licensed) drive. However, adding Disable to Delete requires another admin action to enable the drive before it can be reactivated.
Note that Delete does NOT actually reformat the drive's root settings used by KRMC Cloud to recognize the drive remain there. Admins must be aware of this when re-issuing drives to new users. For example, a reactivated drive retains past Group memberships and is still associated with past log records, even if the new user assigns the drive a different name during setup. However those past log records will now appear in the audit log with the drive's new name.
Other actions that can be initiated remotely through KRMC Cloud include:
- Refresh Use this to query user-configured settings before applying a license to a newly-registered drive.
- IP/Domain Control Use this to limit where a drive can be unlocked by defining or appending specified IP address ranges or domains to an ACL.
- Reprovision Use this to push admin-configured policies to the drive, including password length, composition, update frequency, offline use, and login failure consequences.
These actions can play a vital role in thumb drive security. For example, they could be used to remotely delete and disable a drive carried by an ex-employee, or to prevent a lost drive from being used offsite. KRMC Cloud makes it easy to see how many actions are still pending, and for which drives. Log records are also generated when actions are added and completed, providing an audit trail. But remember that actions cannot be completed on drives that are never re-inserted or given Internet access to "phone home" this is why permitting offline use is a calculated risk.
Tracking what happened
For many companies, proving that a drive was encrypted or wiped is just as important as actually doing so in a timely manner. Regulatory compliance may depend on it. KRMC Cloud meets this documentation need in two ways: an Audit Log and Historical Reporting.
The Audit Log is a simple time-ordered KRMC event list that can be filtered on record attributes for example, to retrieve all "device registered" events or all events with a given device name. Each record includes a few pertinent details, like the PC name and private/public IP address where a drive was last unlocked. Action events indicate time, type, and target, but we would like to also save the actual action parameters (e.g., to prove what a re-provisioned drive's policy was). We would also like to see audit trial records added for significant events by users, such as when a drive is wiped due to repeated login failure.
According to Kanguru, Audit Log records remain accessible to KRMC Cloud customers indefinitely. But nothing lasts forever, so our advice is to periodically export your account's Audit Log records to XLS files for local archival. Exported records might also be used to generate home-grown reports or fed into external systems (e.g., inventory databases).
KRMC Cloud also provides a modest set of graphical reports basic bar and pie charts that deliver high-level statistics for a given date range. Examples include # of drives registered per month, # of actions or logins per drive, total # of actions or events by type, and # of drives that have not "phoned home" lately (a complete list appears under "Resources" in Figure 3). Hovering over any point displays X/Y values, but you can't drill down to obtain further detail or generate reports for a specific drive, user, or group. These attractive-but-superficial reports would be a lot more useful with just a bit of filtering or drill-down. Export to PDF would also be handy.
KRMC Cloud Edition is a new offering, launched this spring. Thus we were not surprised to find a couple of bugs. An extra unlicensed drive entry mysteriously appeared in our KRMC Cloud My Devices list; Kanguru is investigating. Our registered devices report always depicted just one drive, long after we'd activated a second drive. These problems were minor, limited to GUI presentation, not secure drive use or remote policy enforcement.
Throughout this review, we note "wish list" items places where KRMC Cloud Edition takes a solid stab at meeting SMB needs, but could be enhanced in a future release. In short, KRMC Cloud is an entry-priced public cloud service, designed for small businesses that need to get the basics working quickly and worry about frills at a later time.
That said, it is essential for any business considering a service like this to understand both benefits and limitations. Fortunately, cloud delivery is ideal for "try before you buy." Anyone getting started with thumb drive security can try KRMC Cloud at little expense, conducting a small pilot to learn the ins and outs of centrally-managed encryption, lock/wipe, and auditing. Larger businesses considering on-premise deployment can test drive Cloud Edition to assess the value of hosting KRMC and add-ons like port control and also to test KRMC and KDE for compliance with their own security requirements.
SMBs that are very security-sensitive may not be comfortable with a public cloud service, or without the ability to centrally-initialize drives or control USB ports. KRMC Cloud Edition can be used with a large number of KDE drives, but larger workforces may require more drive/OS diversity and management scalability. But in our view, many smaller businesses worried about thumb drive security can quickly and painlessly address those concerns by investing in KDE drives and KRMC Cloud Edition.
Bio: Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has been involved in mobile workforce policy development and best practices, ranging from wireless/VPN security to portable data defenses.