Encryption may end flash drives' exile for good

In late 2008, the Strategic Command’s Joint Task Force-Global Network Operations (JTF-GNO) put in place an immediate ban on the use of flash drives — USB storage devices that have become the modern version of the floppy disk.

Used throughout the Defense Department to physically carry data between systems or transport personal files for use on shared systems, USB drives were at least partially responsible for a rapidly spreading virus attack on DOD’s Secret IP Router Network and Unclassified but Sensitive IP Router Network. On unclassified systems, the virus might have provided a back door for hackers to extract data.

The episode reinforced some of the problems that led to the creation of DOD’s Data-at-Rest Tiger Team (DARTT) and push for wide adoption of data-at-rest solutions to protect sensitive data — especially on laptop computers and removable media. On previous occasions, USB storage devices that contained sensitive data were found for sale in Afghan markets.

In February, DOD lifted the ban on USB drives — sort of. STRATCOM officials issued an order Feb. 12 that allows personnel to use some USB drives in specific circumstances if they follow service guidelines. “All USB storage devices used must be government-procured and -owned,” STRATCOM's message states.

As the military services form their own USB drive policies, a number of vendors are teaming to create USB products that meet guidelines set by JTF-GNO. In response to the concern about the security of USB drives, vendors have engineered devices that automatically encrypt data stored to the devices.

One of those vendors is Mobile Armor, which also holds contracts for data-at-rest protection for the Army and for Navy laptops and desktops that aren't on the Navy Marine Corps Intranet. “The Office of the Secretary of Defense has had [data-at-rest contracts] with Mobile Armor for years,” said Mike Menegay, Mobile Armor’s president and chief executive officer.

Mobile Armor’s solution, Key Armor, combines encryption and virus protection into the USB storage device’s hardware. Key Armor is based on USB hardware from IronKey and SanDisk, Menegay said. And the devices include Mobile Armor’s key management capability and can use authentication from the Common Access Card to determine which policies should be applied to the USB device.

“Those policies are automatically set up for a USB key,” Menegay said. “You don’t need another server. It’s a much more efficient, enterprise solution.”

The same user profile could be used to manage encryption keys and policies for USB storage and encrypted files and full drives on desktop and laptop computers. The policies regarding encryption and access are centralized on a policy server. In conjunction with information from a Common Access Card, it can determine the identity of a user anywhere on the network. When the device is inserted, a network-aware preboot application must complete a protection sequence before the user is allowed to boot the computer.

It's unclear how quickly the military services will adopt these types of USB storage devices because the JTF-GNO is leaving choices about requirements to the services. But considering that data-at-rest protection is still not 100 percent deployed to mobile computers at DOD, it might be some time.

In February, the Air Force decided to continue its USB ban. DOD "banned flash media devices over a year ago due to network threats," said Maj. Gen. Michael Basla, Air Force Space Command vice commander, in a statement. "These threats have not disappeared. There are a number of military and government agencies working to mitigate these threats. The Air Force will be a partner in these mitigation strategies as we work to allow the limited use of flash media for mission-essential requirements.”

"What we do not want is airmen thinking they can go out and buy a thumb drive or USB or any flash media device and start using it," said Lt. Col. Donovan Routsis, Air Force Space Command net-centricity division deputy chief. "In all reality, even when a policy is in place, that will still not be permissible. The use of any flash media device will only be authorized for mission-critical requirements and will be strictly managed."