A new storage device with hardened security features has the potential to replace one-time password (OTP) devices for authentication, but it's still far too complex and expensive to make headway in the enterprise, according to one industry analyst.
To get security news and tips delivered to your inbox,
The personal portable storage device (PPSD) is unlike older USB storage devices that function in a standalone manner. This tool has a single platform that combines the USB smart card form factor and flash memory with the ability to perform file encryption and provide smart card authentication and one-time password features.
Vendors are striving to confront the complexity and cost of the device, but its security features offer promise to enterprises looking to lock down data that leaves the company walls, said Mark Diodati, senior analyst for Burton Group.
"[The PPSD] will provide more benefits than the OTP device because it has the capabilities of an OTP, plus smart card and storage container thumb drive [features]," Diodati said.
These secure storage devices are more complex than OTP devices because they are not fully personalized before they are given to users and improvements must take place on the administrative side to ease deployment and management for end users, Diodati said.
Security token and smart card authentication:
Pre-boot biometric user authentication tools and strategies: Thinking about implementing biometric fingerprint readers for authentication? Learn what to look for in user authentication tools and how to be sure they're compatible with the OS.
One-time password tokens: Best practices for two-factor authentication: In this tip, Joel Dubin examines how to physically secure one-time password tokens and how to properly implement them to provide effective two-factor authentication.
The variety of "moving parts," such as smart card capabilities and flash card memory, and the fact that the device is a new technology, is responsible for the high cost of the encrypting tool, Diodati said.
Lawrence Reusing, CEO of PPSD device maker MXI Security, said in order to boost PPSD adoption and make it easier to use by employees, the first step is to make the devices more cost-effective, simple and deployable.
"I don't want to say [the PPSD] is going to overtake the OTP device because the low-cost OTP device has its place in the market," Reusing said. "Where PPSD becomes exciting and where it comes to take market share from OTP or expand it is customers that want to carry around a device that does much more than OTP devices."
Reusing said MXI Security is currently investing in research to create more cost-effective hardware technology and the company plans to launch new products that improve and streamline existing platforms, addressing the high price factor associated with previous devices, Reusing said.
Typical customers of the Stealth MXP product are mobile workers, consultants, and the government, Reusing said.
"The government is certainly a very large user-base for us," Reusing said. "The idea is they'll typically use our devices for not only encrypting data, but also to encrypt their laptops or maybe log into their RSA server. There are multiple security functions on the singular [PPSD] device," Reusing said.
The use of USB devices was prohibited within the Department of Defense in November after a removable storage device plugged into a USB port allowed a worm to access and inject malicious code across the federal network. Despite the ban, government agencies may be able to benefit from this new smart card and flash memory combination, Diodati said.
"Having information encrypted [on the PPSD] really overcomes a lot of the objections aimed at USB devices," Diodati said.
USB devices support only flash memory and are freely readable, lacking password protection, Diodati said. This new encrypted, portable tool protects data while in transit, so that if a laptop is stolen the data isn't compromised, he said.
The PPSD market is still new and does not have any standard vertical market, but the device is ideal for enterprises interested in strong authentication and DLP, such as the government, financial organizations and payment and mobile communication industry enterprises.
For enterprises considering acquiring PPSDs, Diodati recommends doing a cost-benefit analysis as well as taking inventory of all applications to make sure the device is compatible with them.
Users must set up an encrypted file drive, learn how to store data on it and enroll for a public key infrastructure (PKI) certificate in order to use and access the new tool, Diodati said.
"Another [recommendation] would be to implement very good recovery processes, because you'll want to recover data off devices if users terminate them or in case something else happens to it," Diodati said.