One common puzzle for the security-minded is how to work with confidential data on the road. Sometimes you can’t bring your laptop, or don’t want to. But working on somebody else’s machine exposes you to malware and leaves behind all kinds of electronic trails. Even if you keep your files on a portable drive, Windows will scatter pieces of them around the borrowed PC — in temporary files, browser histories, the Windows Registry, the paging file, the hibernation file and memory dumps.
For digital self defense, the ideal solution would put the brains of your own computer in your pocket. The idea is to boot a borrowed PC from a portable device that holds not only your data but your software and operating system. You bypass the host computer’s hard drive and operating system, but get to use its keyboard, mouse and monitor. There are a number of geeky ways to accomplish this, and I’ll cover them in coming days. By far the most secure is a new commercial product called IronClad, an armored, encrypted thumb drive built in a partnership between Ironkey and Lockheed Martin. The bad news is you probably can’t have one. IronClad is intended for large corporate IT departments, and the minimum purchase is 200 units. I’m going to give you a tour of its features anyway, because it looks to me like the new gold standard for portable data security. In a coming post I’ll write about how you can mimic some of its most useful features on the cheap. (More on Techland: Is Google Launching Its Own Chrome OS Smartbook Soon?)
The Ironclad is larger than an ordinary thumb drive (about 3″ x 3/4″ x 5/16″), with layers of epoxy under a solid metal case that’s designed to be tamper-proof. It self-destructs, quietly but irreparably, after ten wrong passwords. The encryption is done with a custom hardware chip, not with software. It’s biggest selling point is that it can be used as the boot device on most modern PCs. (It will not work with a Mac.) Power off the computer, plug in the IronClad, and power the computer back on. Press a special key for boot options, and soon you are running your own virtual computer on someone else’s machine. No trace of your work is left behind because the borrowed computer never knows you were there. Lockheed uses a proprietary combination of Linux and VMware to make the magic work, but what you see in the end is your own Windows desktop, with your own applications and data.
Corporate IT managers will load up IronClads with their own custom selection of software. The 16GB test unit that Lockheed sent me was configured with Windows 7, Microsoft Office 2007, Acrobat Reader, and other standard tools. By design, it is impossible to install additional software. More than that, the IronClad is designed to block any executable code that isn’t on a specified “white list.” I asked Lockheed to turn off the latter feature in my test unit, and had no trouble running portable versions of Firefox, Thunderbird, Skype and other software.
The IronClad is faster than most thumb drives but far slower than a standard hard drive. Boot up, application launch and other Windows operations feel sluggish, though still usable. Turning off the fancy Aero graphics in Windows 7 seemed to speed performance. (Right click on desktop, choose Personalize, scroll down, and pick one of the Basic themes.) (More on Techland: So When Does Apple Do Away With Hard Drives?)
The first test unit I got from Lockheed would not connect to my wired or wireless networks. An updated version seemed to have the same problem, but I resolved it by turning off a proxy server that was set as the default. (In Internet Explorer: Tools … Internet Options … Connection … LAN settings… uncheck proxy server.) After that, I had no trouble joining a variety of home and office networks. The IronClad even mounted a network-attached hard drive without a hitch. And yet … you might think twice about doing any of those things if you were carrying around your company’s crown jewels. The whole point of the IronClad is to let you work inside a closed digital perimeter. As soon as you unlock it and connect to the web, your data becomes vulnerable to hacks and malware. The “white list” feature reduces but does not eliminate that risk.
This is a very strong product, polished and well thought through, for those who need maximum security. That is not to say it is easy to use. I suspect it will require a lot of technical support. Reliance on a borrowed computer means the IronClad has to work out of the box with a potentially endless variety of hardware and peripherals, and the results are unpredictable. Just to get started with the IronClad, you have to interrupt the standard boot sequence on the host computer. On a Dell machine, you do that by pressing the F12 function key. On a Lenovo notebook, it’s the blue Thinkpad button. Other brands have other methods. Some computers will require a BIOS update before they can boot from the IronClad, and others are locked to block attempts to boot from — or even attach — an external device. This kind of restriction is especially likely in airport and hotel business centers, where travelers tend to look for temporary computers. If you do manage to boot the thing, which I usually did, the IronClad’s strict security settings may prevent you from navigating the local network or installing the drivers for a printer. (Even with reduced security settings, I was unable to install drivers for my Epson Workforce 610 printer at home.)
Bottom line: IronClad is a valuable tool for the security-minded road warrior, and I would love to keep one in my kit bag, but I would not count on it for computer access on deadline. There are places where it simply won’t work, and in those places, paradoxically, a decision to rely on the IronClad may expose you to greater risk. The worst of all worlds is to leave your secure laptop at home and put your secrets in the hands of an Internet cafe.
More on Techland:
Encryption (Part 3): How to Keep Secret Files in the Cloud