IronKey USB Flash Drives Prove Their Mettle

Sturdy and secure USB flash memory storage solution is rapidly deployable with a SAAS-based configuration and management tool.

IronKey has built its Enterprise D200 and S200 USB flash drives to withstand just about anything thrown at it. And I made it my goal to find out how much of a beating it could actually take.

The USB flash drives are rugged, waterproof to MIL-STD-810F specifications and meet Security Level 3 of FIPS 140-2. A tamper-resistant and tamper-evident design houses flash memory storage and a crypto chip, which provides AES 256-bit encryption in CBC mode.

For those who are price sensitive, the D200 series uses MLC flash memory, while the S200 series uses SLC flash memory to provide faster performance and longer data life. Both series share the same physical characteristics. The S200 is priced at $79 for a 1GB model, $199 for 8GBs and $299 for 16GB. The D200 is priced at $99 for a 4GB model, $129 for 8GB and $299 for 32GB. The management service costs $24 per user per year.

The IronKey drives are extraordinarily solidly constructed of flash memory embedded in military-grade epoxy wrapped in a single piece aluminum casing. To put it concisely, I beat the hell out of these things. I blame IronKey for encouraging me by sending me seven test units. I felt like I should just keep finding new ways to torture them.

The hardware didn't flinch when thrown off the roof of a four-story building, spiked down a flight of stairs, put through the dishwasher and anchored under Barnegat Bay for a month. The body took the blow of a 20-pound weight, although the cap did split open after a direct shot. The USB connector, however, was undamaged.

I broiled the device in the toaster oven at 325 degrees for 15 minutes, at which time the plastic over the "in use" LED melted into a brown gooey mess. I allowed the drive to cool to room temperature and then plugged it in, and it didn't work. Fascinatingly, a cheap USB drive did work after being subjected to the same broiling. IronKey specifies maximum operating temperature at 70 degrees C, or 158 degrees F, which is reasonable-exposing the hardware to such heat would be a rather unusual use case.

IronKey provides a hosted (SAAS) management solution for enterprise customers to enroll, deploy and manage devices once they create an online account. The company does provide an on-premises software solution, but since, according to IronKey, most of its clients opt for the online service, I chose to review that. First I created a management account and a default security policy. Then I enrolled devices based on serial number in the management console and applied a security configuration prior to deploying to end users. Devices are shipped with bar codes etched into them that are mapped to serial numbers stored on the device to enable rapid deployment and asset tracking. Units can go very quickly from their boxes to providing users with preconfigured and secure portable storage environments.

The device can be configured to not only provide encrypted storage but to also self-defend. I installed the Silver Bullet Service, an optional management feature that checks and applies security policy from the IronKey server over the Internet when a drive is connected and log-in is attempted. With the Silver Bullet Service, I set and verified the functioning of drives to deny access if the security policy could not be accessed online, lock out the user or issue a self-destruct command, in which case the crypto chip is destroyed and the data is deleted from the flash memory.

I easily placed restrictions on location based on the network the host is connected to when the device is attached. This could be useful in a situation where employees can use devices at work but not on the road or at home. Configuration options are extensive: The device can be set to pull a configuration script from a URL or to route all traffic through a proxy, where the traffic can be secured and audited. On a device or group basis, I could prevent read and/or write, and applied Lockdown Autorun to prevent executables from running on the drive. Between read-only and preventing executables from running from removable media, I had the beginning of a larger anti-malware campaign.

There are tools to help create secure backups either on the drive or from the drive. These can be preconfigured by an administrator or manually invoked by the user. From the management console, it was very easy to choose which features and applications to deploy to individual units. I chose to deploy the full suite, but could just as easily have deployed the units as storage only.

When I plugged in the D200 (or S200, they are functionally the same), I went to My Computer, double-clicked IronKey Unlocker and then double-clicked IronKey.exe to launch the IronKey Control Panel. Secure versions of applications such as Mozilla Firefox can be run from the S200. First-time users can orient themselves rapidly by reading the PDF "IronKey Enterprise User Guide." Identity Manager stores and protects usernames and passwords-either automatically as each site is visited or manually keyed in and saved. A virtual keyboard pops up on-screen whenever a user is prompted for a password to prevent keyloggers from stealing them. I enjoyed being able to toggle Secure Sessions on and off with a single click from within Firefox. Toggling this switch enables Tor (The Onion Router), an open-source HTTP proxy that renders user IP addresses untraceable-and therefore safer from attacks. There's nothing saved to the drive and nothing run from the drive, Firefox is proxied through Tor, and your users are looking pretty clean in the outside world.

Performance for the D200 was rated at up to 25MB/s read and 17MB/s write. The best result obtained through ATTO Disk Benchmark was 27.5MB/s read and 11.3MB/s write. I copied a 700MB file to the drive in 71.9 seconds (9.7MB/s) and back in 30.0 seconds (23.3MB/s). For the S200, the device is rated at 27MBps read and 24MB/s write, a significant difference from the 26.9MB/s read and 14.5MB/s write that I measured in ATTO. I copied a 361MB file to the S200 in 30.5 seconds (11.8MB/s) and from the S200 in 17.8 seconds (20.2MB/s). These are very respectable numbers, although it is worth noting that write speeds are well below the manufacturer's ratings. For reference, a "normal" or "el cheapo" USB stick does 24.0 MB/s read and 6.6MB/s write in ATTO.

IronKey is compatible with a wider variety of operating systems than the competition, such as Windows 7, Vista, XP SP2 and 2000 SP4; Mac OS X 10.4+; and Linux 2.6+. I had no problem using the S200 on various flavors of Windows and Linux. For a far-flung enterprise, this is significant: A device could be preconfigured and prepopulated with important information, mount on just about anything, and run its own secure environment. In my case, I connected my S200, launched Firefox, installed the Xmarks plug-in and had access to all of my bookmarks. I could just as easily had essential policies, procedures, manuals and other documentation saved to the drive.

Sending field agents a netbook and a preconfigured IronKey is something worth considering if your business or agency compels quick mobilization.