Establishing Digital Trust: Don't Sacrifice Security for Convenience
Price: $479 (on 8GB M500 drive)
Pros: Fast, host-adaptable, many auth options, scalable provisioning, multi-user support
Cons: No usage tracking, secure data partition inaccessible, wipe requires management serverhttps://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iMany workforces could benefit from trusted computing environments that are safe, portable, and carry along each user's personality (i.e., files, apps, settings). Gartner divvies available solutions into two broad categories: device-based (e.g., PC-on-a-stick, virtual machine) and portal-based (e.g., virtual desktop, cloud service).
But using these solutions can present thorny challenges. A host-installed VM isn't very portable. A cloud service can't be used offline. And PC-on-a-stick can be slow and incompatible with host hardware. With Stealth ZONE Secure USB Desktop, MXI addresses the latter, using an encrypted flash drive with speedy BlueFly processor to boot a PC-adapted, IT-customized Microsoft Windows Embedded Standard image.
The Stealth ZONE's objective: Carry your own self-contained, IT-managed, trusted environment on a flash drive that lets you work safely and effectively on any PC without threat exposure or data leakage. During this review, we used a Stealth M500 USB with Stealth ZONE to run our own trusted desktop on several enterprise, personal, and public PCs with very few glitches.
Under the covers
Portable secure storage runs the gamut from BYO-USB software (e.g., EncryptStick) to purpose-built hardware (e.g., Kanguru Defender). Stealth USB drives fall in the latter camp, delivering chip-based FIPS 140-2 Level 3 AES crypto, NIST SP 800-56A pairwise key exchange, and multi-factor authentication options. All Stealth drives are tamper evident and dust/waterproof; some even have metal enclosures.
Stealth ZONE Secure USB Desktop builds on this Stealth drive foundation. We tested Stealth ZONE v0.9 beta with password authentication on a 16 GB M500 drive (MSRP $559). For an on-board fingerprint reader, run Stealth ZONE on an MXP Bio drive, enabling two or even three-factor authentication (e.g., PKI token, RSA SecurID soft token, OATH OTP). All Stealth drives can optionally be paired with Common Access Card (CAC) or Personal Identity Verification (PIV) card readers; MXP drives even have dedicated X.509 certificate key containers.
Stealth drives can be IT-administered using MXI provisioning and management products – most notably ACCESS Enterprise. We could not test ACCESS Enterprise, but evaluated how this life-cycle manager supports Stealth ZONE. Our conclusion: anything more than a small or pilot Stealth ZONE deployment really needs ACCESS Enterprise. Volume discounts and bundles tailored to each customer make a "typical MSRP" hard, but here's one example: 1000 Stealth ZONE 8GB M500 drives with ACCESS Enterprise would run about $530K.
To use a provisioned Stealth ZONE, just plug the drive into any USB port on a host PC. BIOS options may need to be changed if the PC is not set to boot from USB – for example, moving USB ahead of HDD in the boot device list. When the PC boots from the Stealth ZONE drive, it loads a pre-authentication environment with three choices: boot a generic profile, boot an adapted profile, and enter maintenance mode.
Choosing any profile boots up a Microsoft Windows Embedded Standard (MWES) desktop, provisioned onto the drive, personalized for each user, and safely stored in an encrypted partition. Up to ten users can share the same Stealth ZONE; pre-boot authentication loads each user's own desktop. In fact, pre-boot runs MWES from a read-only "surrogate user" partition that cannot be seen or modified by anyone. As each end-user authenticates, the surrogate unlocks an encrypted desktop partition linked to that user's account. This insulates users from each other, as well as from anyone who picks up and browses a lost USB.
We logged into pre-boot auth by password, subject to provisioned policies regarding length, complexity, etc. Depending on drive model, IT can require other pre-booth authentication methods, such as a fingerprint or CAC/PIV card swipe in combination with PIN. If a user forgets his pre-boot password, a rescue tool can reset it (when using ACCESS Enterprise, remotely).
Once the user's desktop is unlocked, the OS is booted natively – this is NOT a virtual machine, running under a hypervisor. Rather, the user's environment consists of a provisioned MWES image, largely locked down to prevent OS corruption or modification. This approach stops users and malware from relaxing security settings, installing Trojans, or making other risky changes. Every time you boot Stealth ZONE, you're guaranteed to start with the same trusted OS image – no matter where you might have used it in the past.
Adapting to hardware
Anyone who has booted from USB knows that we skipped over common hurdles. So let's start with BIOS dependencies. We tested Stealth ZONE in eight (8) hosts, including IT managed, personal, and hotel PCs. One four-year-old PC could not boot from USB at all; another hotel PC had its BIOS locked. The rest could boot Stealth ZONE from USB – two after BIOS changes. This is not a statistical sample, but offers insight into cases where Stealth ZONE could be a non-starter.
During pre-boot, choosing the generic profile is the fastest way to load a desktop environment. Delay was more obvious on faster CPUs, but we found booting and running from Secure ZONE almost as fast as booting/running from HDD on most PCs.
The generic profile is ideal for booting on public PCs, except that almost everything we'd do there requires Internet access and that profile does not load drivers for machine-specific devices like network adapters and video cards. Thankfully, the generic profile offers one option – enable network support – which causes Stealth ZONE to auto-detect and load drivers for that PC's network adapters. The resulting connections aren't persistent; they won't be there the next time you boot. This option is an excellent compromise between having no Internet access and delay incurred by full-blown host adaptation.
That's because the latter is an extensive, time-consuming process that produces persistent results: an adapted profile for each machine (see below). The good news: Adaptation is heavily automated, requires no PC knowledge, and renders each PC as usable as if you were booting from HDD. The bad news: Our adaptations ran from 20 minutes to over an hour, required multiple user interactions, and would not complete on one of the PCs where we could pre-boot.
Host adaptation is very powerful (even essential) for using Stealth ZONE on the same PC repeatedly – such as working on home PCs shared by family members who download who-knows-what. But note that each Stealth ZONE can only be adapted to a limited number of machines, shared by all users of that drive, selected from a list displayed during pre-boot.
But how do you enable IT changes to each Stealth ZONE desktop environment, like installing desired business apps, applying Active Directory group policies, updating anti-malware signatures, and installing OS patches? After all, a useful trusted computing environment requires a lot more than an off-the-shelf OS image.
This is where maintenance mode comes into play. When users boot a generic or adapted profile, recall that they boot a read-only OS image. If a user has permission to install an app or write a file to C: or configure Wi-Fi settings, those changes won't be there after reboot. In fact, the only changes that persist across reboot are those written to the user's Documents and Settings folder.
However, when a user boots up in maintenance mode, these "write filters" are disabled, making it possible to install apps or printers, create folders and files in other locations, change registry keys, etc. When that user next reboots using a generic or adapted profile, those apps and printers and folders will all still be there.
We used maintenance mode to customize our desktop and install several apps. Our Stealth ZONE was supplied with a single Windows user: administrator, no password. Thus, we had free reign to install anything in maintenance mode. In real life, IT would configure a Stealth ZONE with real user accounts (possibly from Active Directory) and appropriate policies, thereby controlling changes that each user can make in maintenance mode. In short, users can do the same things when logged into Windows, whether booted from HDD or Stealth ZONE maintenance mode.
Manually refining a default image in maintenance mode may be ok for small deployments. Our Stealth ZONE arrived with MWES, Microsoft Office 2003, Adobe Acrobat Reader, QuickTime, and SilverLight installed. That suited us, although we were surprised to learn that MWES is the only supported OS. Microsoft does not currently allow any other OS to be booted from MWES, so you cannot (yet) create a portable Windows 7 Enterprise desktop using Stealth ZONE.
However, MWES is now being sold to the government and public sectors; it will eventually be rolled out to enterprises too. These can be very large organizations, with hundreds or thousands of users. How would you provision and manage that many Stealth ZONEs using maintenance mode?
You wouldn't. Stealth ZONE fits into a scalable infrastructure which uses a hardware appliance for bulk provisioning and ACCESS Enterprise for life-cycle management. In this process flow, maintenance mode is only used for creating an organization's "golden image" on a factory-fresh drive and as-needed per-drive tweaks.
- The provisioning appliance is a Linux server that imports a locked Stealth ZONE golden image to provision up to 28 USB drives in parallel. The appliance produces cloned drives that are encrypted with 256-bit AES and locked with a pre-issuance password to deter tampering and piracy. Only admins with that password can unlock cloned drives when the time comes to issue and personalize them using ACCESS Enterprise.
- ACCESS Enterprise is server software used to centrally-initialize, issue, manage, and (eventually) recycle Stealth drives, including those running Stealth ZONE. First, policies are configured into ACCESS Enterprise (e.g., pre-boot password rules). Second, provisioned drives are issued to users who complete device registration and initialization. Finally, each user personalizes his device by enrolling a pre-boot user account and credentials (e.g., password, fingerprint, PIN). Now the Secure USB desktop is ready for use.
Our set-up differed because we did not test ACCESS Enterprise. Instead, we received a drive provisioned with a default beta image. We mounted that drive's secure storage partition, ran a personalization wizard (below), entered a supplied surrogate password, and completed a custom initialization process where we had a chance to fiddle with default policies before completing single-user account enrollment. Thereafter, we had no way of changing policies or recycling our own drive because such tasks can only be completed using ACCESS Enterprise.
This is why we think that most Stealth ZONE deployments will need to invest in ACCESS Enterprise. Organizations concerned enough about security to invest in Stealth ZONE probably want to control their own images and pre-boot policies and recycling, as well. ACCESS Enterprise is also needed by those who want to initialize per-user credentials, such as digital certificates or RSA SecurID soft tokens and report on issued devices/users. We noted that ACCESS Enterprise does not currently provide on-going Stealth ZONE usage logging or remote kill, but MXI said these important features are already being added to next month's release.
Reading the fine print
By combining Stealth ZONE with Stealth drives, ACCESS Enterprise, and a provisioning appliance, MXI has assembled several essential pieces into a fairly cohesive whole. However, there are nuances about running a Secure USB Desktop that might not jump out until you use one.
For example, injecting pre-boot authentication can mean that users must log in twice, using different accounts and credentials. On most PCs, we logged into pre-boot using the Stealth ZONE password created during drive personalization. We then logged into MWES using a Windows account password. But one laptop required pre-boot fingerprint authentication, using that PC's embedded reader. There we had to swipe a finger before entering our Stealth ZONE pre-boot password, then swipe a finger again before entering our MWES password. Cases like these must be considered when deciding what authentication(s) to require for pre-boot and how to reduce logins. For example, MWES login could use a certificate stored securely on the Stealth drive to be user-transparent. Although MXI has an Enterprise Single Sign On solution, it does not currently apply to Stealth ZONE.
Note that, when booting from USB, you cannot use that drive as a secure portable storage device. When we inserted our M500 into an already-booted laptop, we could unlock and drag-and-drop files onto its encrypted data partition. However, when booted from our M500, that partition could not be mounted or unlocked. This is said to inhibit data leakage by preventing users from dragging files to and from other PCs, but users will just find other ways to move files – like email or another USB stick.
When carrying a portable secure desktop, users will want some data to persist. For example, if Outlook is used to sync with a Microsoft Exchange server, users probably want attachments to remain (e.g., for offline use). If users add favorites to Internet Explorer, they should stick around. Stealth ZONE meets both of these needs because the affected files are stored in the writable user tree. But what if you frequently use a site that needs a new version of Flash or Acrobat or your Wi-Fi requires a password? Sorry – you must use maintenance mode for these changes to persist.
Stealth ZONE insulates users from threats posed by each PC (including files stored on that machine's HDD). Not only won't malware jump onto your USB, but your USB won't leave temp files behind on the PC. But what about temporary malware exposure inside a secure desktop environment, during any given session? To address this concern, MXI sells an optional on-board anti-virus scanner for Stealth drives (including Stealth ZONE). We did not test this option, but believe some type of persistently-updatable anti-malware is essential for all Stealth ZONE deployments.
This brings us to the question of on-going desktop maintenance. According to MXI, any update to the MWES OS would be done using Microsoft System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS) in the usual fashion. For example, OS patches would be downloaded to a WSUS server and pushed to deployed desktops. However, application updates (like anti-malware) must be done as administrator in maintenance mode using SCCM.
Finally, Stealth ZONE claims to use each PC's keyboard, mouse, and monitor (but not HDD) without adaptation. However, our Stealth ZONE had trouble detecting a Logitech wireless keyboard/mouse when booting from one docked laptop. On the other hand, Stealth ZONE's secure pairwise key exchange deters USB replay and MitM attacks, which can be significant threats on public PCs.
In a nutshell
We tested a beta Stealth ZONE that was surprisingly stable, generating just two obvious bugs (a spurious disk error and one PC that just couldn't boot MWES). Overall, hardware compatibility was better than expected, but not entirely without room for improvement. We were unable to test MXI's management offerings, but provisioning and initialization flows appear to be well thought out. ACCESS Enterprise updates will soon backfill the biggest management gaps we noted: usage reporting and remote wipe. A cloud service to make these available in small deployments would be a nice addition.
Security features and supported permutations (especially authentication methods) appear robust. However, it is easy to get lost in a maze of models and features; prospective customers should work with MXI to clearly identify needs and match them to drives and other options. Finally, Stealth ZONE's exclusive tie to MWES could be a barrier for organizations that can't or don't want to support that OS.
Ultimately, we found using Stealth ZONE fast and efficient – enough so that many teleworkers and travelers and other offsite workers would probably use this Secure USB Desktop without complaint. Network connections are easy. Cameras and microphones and good quality video are available, given enough time to run adaptation. Applications run well and preserve essential user data, although browser plug-ins won't persist without a trip into maintenance mode. Oh – and all of this is done safely, so that users don't have to worry about dropping their Stealth ZONE in a parking lot or conducting financial transactions on a hacked PC. We think this is a pretty compelling case for many businesses and worthy of risk vs. cost analysis.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has been involved in mobile workforce policy development and best practices, ranging from wireless/VPN security to portable data defenses.
Find more reviews here.
Follow eSecurityPlanet on Twitter @eSecurityP.