IronKey

Mobile Data Security Blog

Home  »  Archive by category "Encryption"

by

LATEST DATA BREACH: EVERY U.S. FEDERAL EMPLOYEE AFFECTED

 

Our special guest blogger is Tav Venia, an IronKey sales engineer, who is based in the Washington DC area and serves our Federal and Enterprise clients. 

Unfortunately, we’ve all heard about the hack on the personnel records and social security numbers for more than 4 Million+ Federal Employees at a U.S. Government Agency.  Data lost, stolen, or hacked:  it just represents another failure to protect our federal data.  For this, and many other reasons, now more than ever it’s imperative that all types of data is securely protected— federal, classified, FOUO (For Official Use Only), defense, employee, personal, etc.   Now is the time to get out in front of any and all possible threats and attacks to assure ourselves that our data is safe and secure from what can turn into “Tomorrow’s Headline”.   

Government employees are more mobile— working in the office, in the field and from home— which increases the potential for even more data exposure risks.  The ability to securely store and transport data while on the move is a necessity.  As the Federal Team Sales Engineer, I see how our U.S. Government and Agency customers are using the IronKey™ line of hardware encrypted hard drives to securely store and protect their sensitive information, among many, many other reasons.  But with the release of our newest hard drive, the IronKey H350, government agencies can enjoy the speed and performance advantages of USB 3.0 technology while realizing the benefits of the world’s most secure USB devices including FIPS 140-2 Level 3 certification, AES-XTS 256-bit hardware encryption and centralized management.    

Our customers can now save, backup and move data wherever they may be much more rapidly taking advantage of the USB 3.0 speeds.  As technology advances, data files are exponentially growing in size, the ability to securely store and move data quickly and efficiently from the field back to the government or agency office is of even greater importance.  Forgotten password?  No worries. On managed enterprise hard drives, IronKey provides the only secure password reset mechanism that allows users to recover data without erasing the contents on the drive or using a backdoor to reset the password.  Additionally, when data is not being access or used, the IronKey H350 can protect and secure Data At Rest (DAR), another use case of importance to our U.S. Government and Agency customers.  

Personally, with my job, I am constantly on the move traveling from place to place.  I use the IronKey H350 to back up all of my laptop data because we have all been there when Windows crashes and/or becomes corrupted giving us the Blue Screen of Death (BSOD) rendering our data lost and unrecoverable.  This can be a result of a Windows error or a simple drop of your laptop which damages the hard drive.  I don’t ever want to be caught in a situation where I don’t have a backup of my data.  Thanks to my IronKey H350 USB 3.0 hard drive, it now takes less than an hour to back up all of my data, a process that used to take many hours using a USB 2.0 Hard Drive.

by

IronKey eUSB for ePO is Now McAfee SIA Certified

Recently I blogged about IronKey’s release of IronKey™ eUSB for McAfee ePolicy Orchestrator (ePO), an extension for ePO that provides administrators the ability to deploy and manage IronKey hardware encrypted devices. Well today we have even better news. The IronKey eUSB for McAfee ePO is now officially certified by McAfee Security Innovation Alliance (SIA). This in-depth certification process involves testing the product and reviewing the underlying code, which provides McAfee ePO managers the piece-of-mind of having a third party validate usability and compatibility for even the largest deployments.

Here at IronKey we are thrilled by this SIA Certification.   As noted by Intel Security Senior Vice President Tom Fountain, “The combination of ePolicy Orchestrator software and IronKey hardware-encrypted USB drives means our joint customers have what we believe is the best secure, managed data-transport solution available.”

So why should you be investing in hardware encrypted storage?  Today, having hardware encrypted devices is the best way to keep your data secure when roaming.  If the device is lost, misplaced or stolen, you have a double layer of security making your device impregnable – not to mention a centralized management control system that can actively destroy data when needed. Also, you can optionally run McAfee anti-virus to validate the fidelity of files stored on IronKey devices providing an additional layer of security.

Some wonder if it is worth the investment in having a hardware encrypted device that can run AV software. The answer is yes – the cost of a high security device easily outweighs the potential cost of a data breach. Ponemon Institute noted that the average cost of a data breach is $5.9M and the associated loss of business was $3.2M. Another recent survey published by SANS showed respondents ranking with the greatest exposure was malware, introduced by unmanaged devices at 13.6% and with unencrypted USB devices closely following at 8.9%.

Health and Human Services also had some shocking data points:

    • Blue Cross and Blue Shield of Tennessee lost 1M+ records due to unencrypted hard drives
    • Alaska Department of Health and Human Social Services paid a nearly $2M settlement due to data lost on an unencrypted USB flash drive
    • A company called Adult & Pediatric Dermatology lost 2,200 patient records due to an unencrypted USB flash drives

So if you’re an ePO administrator, there is good news for you. Don’t risk the cost of a data breach and use the newly certified IronKey eUSB for ePO by Intel Security. You will be thrilled in adding world class hardware encrypted storage devices and having the capability to manage them easily from your ePO console.

by

Keeping Patient and Hospital Information Safe

In September 2014, Forrester Research published a brief titled “Stolen and Lost Devices Are Putting Personal Healthcare Information at Risk”. Amongst the findings were two important trends:

Healthcare is becoming more mobile – approximately one-third of healthcare employees now work outside the office or clinic at least once a week.

Healthcare records are five times more likely to be lost due to device theft or accidental loss.

Today, personal healthcare information (PHI) records are more accessible than ever before. These PHI records contain important personal information such as social security numbers, medical history, and insurance information. Technological progression in the medical world is giving us advancements such as real time medical data on our smartphones and mobile messaging systems so hospital staff can get to patients faster. Although this progression is exciting, with all of this patient information floating around in technology, it makes it harder to keep our data safe.

With so much mobility, it’s not surprising that data protection has become a big problem. Mobile devices are simple to carry from one workplace to the next, but they can be easy to lose. To protect our data, we need a way to prevent unauthorized people from accessing the content of a lost or stolen device.

The solution is to use encrypted USB or external hard drives, such as the new IronKey™ S1000 3.0 USB. These secure storage devices combine encryption, which encodes data, making it unreadable to all but authorized users, with cloud-based management functionality that enables an organization to remotely wipe data from a device even if it is no longer in their possession.

Healthcare facilities need to address the realities of mobile work practices but they also need to protect the information in their care. The task is made a lot easier with a good device policy and the right tools.

by

Majority of Healthcare Breaches Are Due to Loss or Theft, Not Hackers

I just recently read an article about how a healthcare organization lost backup hard drives containing personal information on nearly 40,000 of its clients. To make matters worse, the article stated that there was “no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.” WHAT?  I shake my head in frustration because there is a simple solution. Why don’t more healthcare companies deploy secure USB?

You might be surprised to know that the majority of breaches come from lost or stolen devices, not hackers. In fact, sixty-eight percent of all healthcare breaches are from loss and theft. This leads me to conclude that most healthcare companies insecurely store, and therefore risk losing their clients protected health information (PHI) such as birth dates, medical records, and Social Security numbers.

Sadly, it looks like this trend won’t be ending anytime soon.  A recent healthcare data breach forecast predicted that employees (not hackers) will continue to be the greatest threat to securing healthcare data including PHI.  The forecast goes on to say that despite all signs pointing to employees as the largest threat to a company’s security, business leaders will continue to neglect the issue in favor of buying more “appealing” security technologies aimed at preventing intrusions from outsiders in 2015. (sigh)

So here’s the good news – there is a workable solution that’s easy for healthcare organizations to implement. One simple, affordable option is to store PHI and other confidential data on a portable, encrypted external hard drive or USB instead of storing data directly on the laptop.  There’s a class of readily available hardware encrypted devices that are virtually unhackable and can be remotely wiped should they be lost or stolen.  And, these drives deploy the highest standards of protection with AES-256 encryption.   These highly secure drives even protect data and applications from malware like BadUSB. And their rugged design makes them nearly indestructible.  They’ve even been known to survive an autoclave! 

IronKey™ offers the most secure storage solutions and mobile workspaces available.  So, don’t be tomorrow’s headline.  Check out our healthcare security solutions today.

by

Could You Pass a Privacy Audit? Healthcare and Australia’s Privacy Regulations

 

Our special guest blogger, Elizabeth Parsons, is based in Melbourne and is responsible for growing the Imation Mobile Security business in Australia and New Zealand.  

Last year the Australian Federal Government ushered in a new set of Australian Privacy Principles (APPs) and in the process, dramatically overhauled the obligations of organisations regarding the collection, use, storage and security of personal data.  The changes were expected to have a big impact on data handling within the healthcare industry, as the regulations particularly targeted all Australian Government agencies, businesses with a turnover of more than $3 million or trade in personal information, and private health service providers.

Twelve months on, it’s timely to consider how well your organisation has responded to the new requirements, and to ask yourself:  Would your organisation pass a privacy audit if one was held tomorrow?

The Basics

One of the first changes that should have been introduced by every facility or institution is an updated, accessible privacy policy. This should advise individuals of your obligations, the kind of personal information collected, how it is collected, the purpose for collection, how an individual can access that information, and how they can make a complaint about any breaches of the APPs.

Following on from this, every organisation should also now have an internal guide to privacy compliance.  The aim of this is to ensure that the staff will understand the legal requirements when dealing with personal data. It should also articulate the organisation’s own rules and processes relating to collection and storage of data.

The Problem of Security

One of the most critical obligations under the APPs is security.  The eleventh privacy principle states:

“If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.”

And it’s here that, even today, many healthcare organisations find their privacy efforts falling short, because keeping data safe from accidental loss or malicious activity such as viruses, worms and hackers isn’t always straightforward or easy.

While most organisations have measures in place to secure data on the network, the main area of vulnerability is mobile data.  When a clinician carries patient data on their laptop from their consulting rooms to the hospital, what happens if the laptop is stolen?  Or when a USB stick is used to send information from one facility to another, what is the outcome if the USB is dropped and lost?

No matter whether confidential information is breached due to theft, malware, spyware, or just a simple accidental loss, there are serious consequences. Since 2014, failure to comply with Australia’s new privacy laws can leave an organisation liable for a fine of up to $1.7 million.

Doing away with mobility is not the answer.  The efficiencies and improvements to health outcomes arising from a more mobile health force are too great to ignore. Therefore, it’s clear healthcare facilities have to find a way to keep mobile data safe.

A Two-pronged Response

The solution is to adopt a two-pronged approach to mobile data security by only using drives that offer encryption supported by data management.

Encryption involves coding data on the drive so it remains unreadable to anyone who doesn’t have the right “key”.  If the USB or hard drive is lost or stolen, the contents remain obscured and inaccessible. One of the most appealing aspects of encryption is there are no technology barriers to its adoption, and compared to the cost of a data breach, the investment required is relatively insignificant.

The second part of the approach is a management capability that brings control to the data on the device.  For example, at some stage an employee will forget their password, rendering them unable to access the corporate network. With the right management capabilities, IT can not only reset the password but when the user logs on, they can cross-reference the IP address of their machine against a map in order to ascertain if the person is indeed who they say they are. If IT has any suspicions, they can remotely wipe the hardware device that the employee is working from and kill all encrypted data.  Management functions also enable IT to force a device to be in read-only mode, remotely make password changes and re-commission devices that are no longer in use.

Together, encryption and management ensure confidential and private information on USB and external drives to remain protected, even if the drive is lost or stolen and lands in someone else’s hands.

The 2014 changes to Australia’s privacy regulations have put the data management practices of Australia’s government agencies and private sector organisations under the spotlight. For the healthcare industry, securing confidential patient data has never been more important with the increasing amount of records being transferred to electronic records. Achieving the necessary degree of security requires more than good intentions. It demands a comprehensive mobile security solution built around strong encryption, robust identity management, and policy-based data management.

 

by

Introducing the IronKey S1000 USB 3.0 Storage Drive

 

Meet the newest addition to the IronKey™ secure storage family of flash drives:  The IronKey S1000.  Building upon IronKey’s history of providing the world’s most secure USB storage devices, users now have a choice between IronKey’s industry-leading USB 2.0 and 3.0 devices.  Check out some of the highlights of the IronKey S1000:

Blazing Fast USB 3.0 Performance

Realize read speeds of up to 400 MB/sec and write speeds up to 300MB/sec. That’s double the performance of competing hardware-encrypted USB 3.0 flash drives and up to 10x faster than a USB 2.0 drive. Storage size has doubled too, with capacity up to 128GB.

Strongest USB Security Available Today

The S1000 protects files with Federal Information Processing Standards (FIPS) 140-2 Level 3 and National Institute of Standards and Technology (NIST)-approved XTS-AES 256-bit encryption, ensuring compliance with the most stringent government and industry regulations while allowing workers to remain mobile.  As with our other products, the S1000 requires code signing for firmware updates  and protects against attacks such as BadUSB and now the most recent Equation Group hard drive attacks to which other USB vendors are vulnerable.

Additionally, the IronKey S1000 military-grade, ruggedized design resists physical tampering and will self-destruct if unauthorized attempts to physically obtain access to the data are made.

Backed by a Lifetime Warranty

Our products are built to last.  They can withstand being run over by a Land Rover and multiple cycles in the washing machine.   In an industry first, we are offering a lifetime warranty for our IronKey S1000 family.  

The IronKey S1000 is available in two versions for maximum flexibility:  IronKey Basic S1000 and the centrally managed IronKey Enterprise S1000. 

Which product should I use?

If you have a desktop, laptop or tablet with USB 2.0 ports, the IronKey S250 and D250 devices are a perfect fit.  But if you have a desktop, laptop or tablet with USB 3.0 ports, you’ll want to look to the IronKey S1000 to take advantage of the faster speeds, enhanced encryption and the lifetime warranty.   

by

The Value of Encryption

With high profile security breaches such as the iCloud hack and the leak of celebrities’ private photographs hitting the headlines, the concern for the security of our own personal information and sensitive data is mounting. Apple’s response to the data breach was to increase the level of security following the incident with the introduction of default encryption on phones, demonstrating the importance of encryption as a safeguard to protect data.

Encryption is simply the translation of data into code, using a defined algorithm, and is considered one of the most effective means of ensuring data security. Access to encrypted files requires a key or password that enables you to decrypt it by restoring it to its original form. Whilst most data transmitted over a network is sent in clear text, by incorporating encryption algorithms, users can protect data and make sure that only the intended recipient can decode and read the information.

Although there are many different types of encryption, they all serve the same purpose: to keep our data protected and secure. Storing any sensitive information is inherently risky, but in order to do this effectively, action must be taken to reduce the risks of inappropriate disclosure.

Given that a large amount of data can be stored on USB’s, smartphones and tablets, there is a real danger that personal information could be compromised should such a device end up in the wrong hands. We recently published research which found that over one third of respondents would look at, or try to open/access a device if they found one , showing that even when mislaid devices are found by conscientious members of the public, the devices may be examined and opened.

The problem is that users want devices that are easy to manage, hassle-free and allow them to go about their lives securely. Measures such as optional encryption do not fit into this lifestyle. Users will not hunt down new security features, either because they don’t know they need them, or perhaps think they already have them.

Whether it is personal or corporate data, security needs to be a necessity, and users should be provided with everything they need to protect their intellectual property.

For businesses, encryption can be a simple and effective means to protect sensitive information. Being able to manage and track the encrypted data, knowing who has accessed it, from what location and on what devices that information resides is also essential.

A Windows To Go device is a securely encrypted, IT-managed USB drive that gives businesses control over what happens to sensitive data, and is easy to use. It contains a fully functional corporate Windows desktop. Employees insert the Microsoft certified USB drives into their home computers, hot desks, or tablets that feature USB ports, and they receive a secure desktop and secure access to all applications and data they use in an office setting.

Unlike a virtualised or online remote access solution, the portable workspace offers full host computer isolation, meaning documents cannot be saved to the host machine but are saved to the USB drive, which can be locked down and remote wiped if required, and all data will remain secure without the threat of a potential data breach.

Encryption is a valuable and essential tool for securing your data. Don’t give users the opportunity to be unprotected; security needs to be a default – not an option.

by

Thwarting the Insider Threat

 

Autumn is returning, reluctantly we’re turning our back on summer, and we are looking forward to the Holiday season. Undoubtedly, this comes with increased people taking vacations, working remotely, and the unlucky few taking their laptops on holidays. For many organizations, this is pretty risky business because the sensitive corporate information is now travelling along with their employees. Although many organizations rarely expect their loyal employees to steal company data, many are prepared for security attacks.

Following the Edward Snowden revelations in 2013, IT departments are now tasked with monitoring potential insider threats. Snowden’s work with US intelligence agencies put him in the position of a highly trusted employee, providing him with everything he needed to accomplish what he set out to do. There were no measures in place to prevent what was possibly the biggest information leak in the history of the US.

The risks come from those who intentionally misuse their access to data to cause a detrimental impact on the confidentiality and integrity of sensitive information.

Although there are a number of routes to secure intellectual property, if the authorities, from whom Snowden was stealing from, had a manageable and encrypted flash drive, such as an IronKey™ Windows To Go drive, they could have tracked the information from anywhere. Any activity on the drive could have been monitored from an on-premise or cloud-based management service. This would have ensured them the ability to restrict where the device could be used, or resort to remotely locking it down, so no one could access the data.

If data isn’t encrypted, its integrity can easily and quickly be compromised, and therefore it is essential to know where, and who, is accessing information. This can be difficult across a fragmented IT environment, however, companies need to be confident that if a device is considered to be compromised, they can remotely lock it down, wipe it, or initiate a self-destruct sequence to remove the data, to protect themselves and their stakeholders.

Protecting intellectual property should be a priority for all organizations. Disabling outdated user accounts when employees exit an organization, implementing policies with privileged account passwords, updating them regularly and limiting access to corporate systems, are all crucial to keeping data secure. That’s where the Windows to Go Drive comes in:  a secure, IT-managed, Microsoft certified USB drive that contains a fully functional corporate Windows desktop. Employees insert the Microsoft certified USB drives into their home computers, hot desks, or tablets that feature USB ports, and receive a secure desktop  as well as secure access to all applications they use in an office setting.

Unlike a virtualized or online remote access solution, this portable workspace offers full host computer isolation, which means documents cannot be saved to the host machine, but are saved to the USB drive.

This way, all data will remain secure without the threat of a potential data breach ensuring safety for all!

 

IronKey Workspace W700

by

Savvy Security Users: IronKey USB 3.0 Hard Drives Now Available!

 

New IronKey™ USB 3.0 SuperSpeed Hard Drive – First to Offer Cloud Management

To all you savvy security users, here’s some great news! The IronKey Enterprise H300 USB 3.0 SuperSpeed external hard drives are now availableThese new devices can be managed in the cloud or on-premise with the same console used to manage IronKey Enterprise S/D 250 flash drives and IronKey Workspace W700/W500 devices for Windows To Go.

What does this mean for existing customers?

This product lets you enjoy the high-performance benefits of USB 3.0 while safeguarding up to 1TB of data on a USB hard drive.  If you want management capabilities, and are already using the IronKey Enterprise Management Console for IronKey Enterprise flash drives or our secure workspace devices, then all you need to do is add this device. Quick and easy! 

What does this mean for new customers?

Looking for an affordable, high-security external hard drive in today’s market? Look no further! New customers can select from two versions of the latest from IronKey: the IronKey Enterprise H300 and the IronKey Basic H300.  Both feature hardware encryption and a Section 508 compliant control panel available in eight languages, but with the IronKey Enterprise H300 hard drive, you’ll also get cloud-based, or on-premise, centralized management capabilities.

What platform is used to manage the IronKey Enterprise H300 drives?

The IronKey Enterprise H300 drives can be managed with the IronKey Enterprise Management Service or Server to establish a secure storage command center for administering the use of IronKey encrypted drives.  Both include advanced management features such as Active Malware Defense and the IronKey Silver Bullet Service so IT professionals can centrally administer policies, re-commission devices that are no longer in use and even remotely wipe, or disable, lost or stolen drives.  All you have to decide is whether you want your management capabilities in the cloud or housed internally. 

And if you happen to lose your password, don’t sweat it! The IronKey Enterprise H300 is the only drive on the market to offer secure password reset when a password is forgotten, without erasing all the content on the drive.

Where can I get an IronKey H300 hard drive?

The IronKey H300 hard drives are immediately available through Imation Mobile Security channel partners. The IronKey Basic H300 can also be purchased on our estore. Pricing is competitive, starting at $199 for 500GB and $249 for 1TB. Enterprise management licensing fees are additional for IronKey Enterprise H300 and start at $24 per year per user for management in the cloud.

What does this mean for you?

IronKey H300 hard drives offer the best value in the market today; enabling you to enjoy the high-performance benefits of USB 3.0 technology, cloud and server management capabilities, and of course, the highest security available.

 IronKey H300_LFT

by

The Cost of Cybercrime

 

Hackers are holding the world to ransom with cyber-attacks costing the global economy more than £238 billion a year¹. These attacks damage the global economy almost as much as illegal drugs and piracy, with financial losses from cyber theft resulting in a potential 150,000 European job losses.¹ Cybercrime is a growing menace which is proving to be an ever growing challenge for individuals and businesses. US retailing giant Target saw its earnings drop 46% after an attack that leaked more than 40 million customer credit card details², whilst eBay and Office have also been ‘hit’ this year, with customer data compromised.

Despite these devastating implications, the public, corporates and their employees continue to be careless with their valuable and highly confidential data –residing on laptops, tablets and mobile devices. Cyber espionage and theft of individuals’ personal information is believed to have affected more than 800 million people during 2013¹, and our mobile working culture has made data security an even greater challenge.

With IDC estimating that over one million smartphones were shipped last year³, someone somewhere in your company is using a personal, mobile device to connect to a corporate network and download sensitive data – making your organization a sitting target for cybercriminals. Companies must equip their employees with the means to protect corporate data from threats such as identity theft and cyber espionage, whilst mitigating the dangers associated with unsecured devices and free Wi-Fi hotspots.

Mobile devices need to maintain the same high levels of security as office-based desktops and servers, with only IT provisioned laptops or tablets connected to corporate networks. But, the best way of ensuring hackers can’t gain access to your company data, is by storing all your data on a secure fully encrypted Windows To Go USB flash drive. It provides employees with an IT managed and provisioned Windows workspace that replicates their secure office desktop environment, on any device that the USB is plugged into. This also means IT departments do not need to deploy individual computers but rather can deploy the Windows To Go workspace on USB drives which saves time, resources and introduces vast cost savings.

Staff awareness plays a crucial role in protecting the company network against cybercrime. Often under-estimating the inherent security risks of using personal devices in the office, employees must be educated to handle these responsibly – on a proactive, ongoing basis rather than waiting until a security breach occurs, when it’s too late.

With so many high profile security breaches making the headlines, organizations want to know that corporate data is secure at all times, regardless of where it resides, whilst employees need the flexibility to work remotely. Cybercrime can have a devastating impact on your business in terms of cost and reputation. Your organization can’t afford to be tomorrow’s headline…

 

Sources:

¹McAfee report, June 2014 – Net Losses: Estimating the Global Cost of Cybercrime

² http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

³ International Data Corporation (IDC)Worldwide Quarterly Mobile Phone Tracker, Jan 2014