Spyrus has marketed a variety of USB drives and other storage devices, offering encrypted storage via embedded microSD cards that are sealed in tamper-proof epoxy. While these devices protected data, however, users were still vulnerable in cases where they attempted to browse the web or run software on untrusted computers, including those in homes or public spaces.

Announced in February 2010, Spyrus' Secure Pocket Drive solved this problem by, in the company's words, "turning a commodity microSD card into a militarized security device."

Perhaps because of the algorithms it contains -- see later in this story -- the Secure Pocket Drive was initially sold only to government customers within the U.S. But now, says Spyrus, it may be purchased by enterprise customers anywhere in the world.

The Secure Pocket Drive from Spyrus

Available in 2GB, 4GB, 8GB, or 16GB capacities, the device was first equipped with the Windows Embedded Standard 2009 operating system, but switched to Windows Embedded Standard 7 last year. The drive is preloaded with display, keyboard, and network drivers that can support most modern PCs, according to Spyrus.

How it works

If a host PC can be configured to boot from a USB drive, it makes no difference whether that system is contaminated with spyware or malware, or even what operating system is installed, Spyrus notes. That's because the Secure Pocket Drive runs Windows from its own secure storage, bypassing the host's hard disk and making use of only its keyboard, mouse, display, and RAM (512MB minimum), the company explains.

Spyrus announced last July that it had received U.S. Patent No. 7,757,100, which covers the implementation of a secure boot loader to authenticate and check the integrity of an encrypted storage device and the operating system loaded onto it. At the time, the company also said the Secure Pocket Drive had been verified as being "Citrix Ready."

The company touts the Secure Pocket Drive as being better than competing devices -- presumably referring to the likes of MXI Security's Stealth Zone, which we also covered in 2010 -- because it does not employ a hypervisor. As a consequence, there is less overhead and the device can run faster, claims Spyrus.

According to Spyrus, its Secure Pocket Drive is available in three editions: Remote Access, Productivity, and Productivity RO (Read Only). The Remote Access edition is a read-only device designed for secure web surfing, virtual private network connectivity, and virtualized application access. The Productivity edition adds to this functionality by supporting the installation of applications such as Microsoft Office, with the ability to store user data on the device or on a a separate secure USB device. Finally, the Productivity RO edition offers all of the functionality of the Productivity edition, except that an external storage device must be employed.

It's further said that all editions can be customized to meet organization-specific requirements. Unlike a bootable CD, for example, the Secure Pocket Drive can be unlocked and updated remotely by authorized administrators using Microsoft System Center Configuration Manager (SCCM) and Active Directory policy settings. The device can also be managed via the Spyrus Enterprise Management System (SEMS), which allows remote disable or destruction of devices, according to the company.

A demonstration of the Secure Pocket Drive
Source: Spyrus
(click to play)

Background

Spyrus says its security technology has been designed and developed entirely in the USA, meeting FIPS 140-2 standards. The cryptographic algorithms employed are "the strongest commercially available," including elliptic curve cryptography (ECC), AES, and SHA-2, collectively known as Suite B, the company adds.

The company adds that it first developed a hardware-based pre-boot authentication system for Windows more than ten years ago. Building on this, the Secure Pocket Drive uses a secure boot loader to authenticate and check the integrity of the host PC, and it will not boot the Windows Embedded Standard 7 operating system if the device has been tampered with, says Spyrus.

According to Spyrus, the Secure Pocket Drive uses FIPS 140-2 Level 3 tamper-resistant epoxy potting, with built-in anti-tamper and self-destruct mechanisms, to protect against unauthorized access to the device and data stored on it. The protected sectors of the device's memory, its operating system, and all data and application files are encrypted with advanced, hardware-based XTS-AES 256-bit encryption, fully compliant with the newly approved NIST SB800-38E security standard, the company adds. Finally, it's said "Suite B On Board" hardware security (ECDSA P-384, EC-DH, AES-256, SHA-384) supports the full set of Suite B cryptographic algorithms for all security services.

David Aucsmith, senior director for the Microsoft Institute for Advanced Technology in Government, stated, "This delivers on Microsoft's vision of a trusted stack, and makes the benefits of a trusted stack available to enterprise customers. A truly trusted mobile computing environment providing security of data, identity, and operating system is now available to enterprises large and small, and not just to government agencies."

Further information

More information may be found on the Spyrus Secure Pocket Drive product page.

Jonathan Angel can be reached at jonathan.angel@ziffdavisenterprise.com and followed at www.twitter.com/gadgetsense.

---

Related stories:

• USB security device includes Windows Embedded Standard 7
• USB security device includes Windows Embedded Standard
• USB security device includes Windows Embedded Standard
• Bootable USB stick includes encrypted Windows Embedded OS
• Microsoft unleashes new embedded OS
• MicroSD Smart Card adds Windows CE security
• Embedded security software rev'd
• Software utility speeds public key encryption on Via CPUs
• App secures Windows Mobile devices and their data
• Primer on elliptical curve cryptography