Portable security storage device could replace OTP devices

By Erin Kelly, Contributor 16 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new storage device with hardened security features has the potential to replace one-time password (OTP) devices for authentication, but it's still far too complex and expensive to make headway in the enterprise, according to one industry analyst.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The personal portable storage device (PPSD) is unlike older USB storage devices that function in a standalone manner. This tool has a single platform that combines the USB smart card form factor and flash memory with the ability to perform file encryption and provide smart card authentication and one-time password features.

Vendors are striving to confront the complexity and cost of the device, but its security features offer promise to enterprises looking to lock down data that leaves the company walls, said Mark Diodati, senior analyst for Burton Group.

"[The PPSD] will provide more benefits than the OTP device because it has the capabilities of an OTP, plus smart card and storage container thumb drive [features]," Diodati said.

These secure storage devices are more complex than OTP devices because they are not fully personalized before they are given to users and improvements must take place on the administrative side to ease deployment and management for end users, Diodati said.

Security token and smart card authentication: Security token and smart card authentication: Get advice on how to mitigate data theft from hackers with security token and smart card authentication technology, smart card readers and software. Pre-boot biometric user authentication tools and strategies: Thinking about implementing biometric fingerprint readers for authentication? Learn what to look for in user authentication tools and how to be sure they're compatible with the OS. One-time password tokens: Best practices for two-factor authentication: In this tip, Joel Dubin examines how to physically secure one-time password tokens and how to properly implement them to provide effective two-factor authentication.

The variety of "moving parts," such as smart card capabilities and flash card memory, and the fact that the device is a new technology, is responsible for the high cost of the encrypting tool, Diodati said.

Lawrence Reusing, CEO of PPSD device maker MXI Security, said in order to boost PPSD adoption and make it easier to use by employees, the first step is to make the devices more cost-effective, simple and deployable.

"I don't want to say [the PPSD] is going to overtake the OTP device because the low-cost OTP device has its place in the market," Reusing said. "Where PPSD becomes exciting and where it comes to take market share from OTP or expand it is customers that want to carry around a device that does much more than OTP devices."

Reusing said MXI Security is currently investing in research to create more cost-effective hardware technology and the company plans to launch new products that improve and streamline existing platforms, addressing the high price factor associated with previous devices, Reusing said.

Typical customers of the Stealth MXP product are mobile workers, consultants, and the government, Reusing said.

"The government is certainly a very large user-base for us," Reusing said. "The idea is they'll typically use our devices for not only encrypting data, but also to encrypt their laptops or maybe log into their RSA server. There are multiple security functions on the singular [PPSD] device," Reusing said.

The use of USB devices was prohibited within the Department of Defense in November after a removable storage device plugged into a USB port allowed a worm to access and inject malicious code across the federal network. Despite the ban, government agencies may be able to benefit from this new smart card and flash memory combination, Diodati said.

SearchSecurity radio:

"Having information encrypted [on the PPSD] really overcomes a lot of the objections aimed at USB devices," Diodati said.

USB devices support only flash memory and are freely readable, lacking password protection, Diodati said. This new encrypted, portable tool protects data while in transit, so that if a laptop is stolen the data isn't compromised, he said.

The PPSD market is still new and does not have any standard vertical market, but the device is ideal for enterprises interested in strong authentication and DLP, such as the government, financial organizations and payment and mobile communication industry enterprises.

For enterprises considering acquiring PPSDs, Diodati recommends doing a cost-benefit analysis as well as taking inventory of all applications to make sure the device is compatible with them.

Users must set up an encrypted file drive, learn how to store data on it and enroll for a public key infrastructure (PKI) certificate in order to use and access the new tool, Diodati said.

"Another [recommendation] would be to implement very good recovery processes, because you'll want to recover data off devices if users terminate them or in case something else happens to it," Diodati said.

Tags: Security Token and Smart Card Technology,  PKI and Digital Certificates,  Disk Encryption and File Encryption,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks What should an enterprise look for in a password token and a vendor? PKI and Digital Certificates Best Authentication Products DoD urges less network anonymity, more PKI use Researchers to demonstrate new EV SSL man-in-the-middle hacks What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation What is the best way to administer exams to students via computer? PKI and Digital Certificates Research Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary