This company is working to grow the channel as it hopes its product meshes seamlessly with the latest services.

by Alex Goldman ISP-Planet Managing Editor [November 3, 2008]

Los Altos, Calif.-based IronKey delivers a premium flash drive to customers who value security. The company guarantees that its product is "designed and built in America" and conforms to FIPS 140-2 Level 2.

"It's the world's most secure flash drive," says John Jefferies, IronKey vice president of marketing. "It's secure in multiple dimensions. We see ourselves as primarily a security company that just happens to make flash drives."

He provides details. "The device itself is a solid chunk of aluminum filled with epoxy. It's waterproof and tamper resistant and has a crypto chip that renders it useless if tampered with."

He's not kidding. One reviewer who liked the product writes:

"you have to be careful, because if you enter the wrong password 10 times in a row, the unit permanently deletes all of your data and is no longer usable. You can't even reformat it. That's tough love. "

Of course, Jefferies notes that the unit warns the user repeatedly and that you have to remove and re-insert the USB key several times to get to 10 wrong passwords "so that your cat or baby cannot brick the device."

The device uses Single Layer Cell (SLC) memory, which is designed to last longer. If you're running a browser off of flash memory, you'll need hardware that can stand up to heavy usage. In contrast, if you're storing photos or a powerpoint file once and downloading just a few times, multilayer cells, which are cheaper and less durable, should be fine.

"SLC is rated for about 100,000 cycles, whereas the average drive you'd buy in the store is rated for about 10,000 cycles," says Jefferies.

A key selling point of the device is its cross platform compatibility: it works with all flavors of Linux; with Windows Vista, XP, and 2000 SP4; and with Macintosh OSX.

Jefferies says that Linux compatibility has made the device popular with network administrators.

Jefferies notes that the crypto chip provides true random number generation. The failure of some random number generation schemes is a common security issue resulting from poor implementation and was most recently highlighted for ISPs by the Kaminsky attack, which revealed that some DNS systems were generating sequential numbers instead of random numbers. IronKey doesn't do that.

"We're funded by the DHS," Jefferies claims. "We were founded to solve threats to personal identity by creating a trusted device.

The device contains a FireFox browser and the company runs a private TOR network.

The device carries a certificate, currently self-generated. (Government customers, Jefferies says, are asking for certs from VeriSign and similar companies, and they will be added soon.)

Applications
Because it has a certificate, and can carry multiple certificates, Jefferies believes that this device will replace hardware tokens. The company is not a competitor to RSA, he assures us. Instead, it works with RSA to ensure its devices can carry software versions of RSA tokens.

"We put a soft token onto a protected area of our hardware. Just as people with powerful cell phones no longer need PDAs," Jefferies says, "maybe the days of carrying around tokens are over as well."

The company has segregated the hard drive into a protected part, that stores things like certifications and passwords, and a less protected part onto which you can download applications. That makes the device more valuable, helping justify its premium price tag, but does come with stupid user risk.

IronKey cannot protect against a user who drags and drops malware onto the device. Scanning the entire computer every time a user opens an application is not practical.

In further concessions to reality (someday I'll tell you about the administrator who wanted to disable my laptop's USB ports and floppy drive but not right now), IronKey is allowing enterprise users to reduce or eliminate the possibility of bricking the IronKey by entering the wrong password.

Enterprises (as opposed to the government) have a different fear—that an ex-employee will take data with them. That's known as the "insider threat."

"We have a remote kill feature that we call the 'silver bullet' that allows administrators to lock out or even remote kill a drive," says Jefferies. "And if you're paranoid that it won't work, you can require the drive to call home every time it logs on, or only allow access from a PC that's only, or call home every x number of days or every x number of tries."

IronKey is offering a backup service to mitigate the possibility that the key will be bricked or lost. It allows users to store their data remotely and securely and then download it. This is becoming popular with people who need to travel with sensitive data and don't want to worry about losing a key in transit. They travel with an empty flash drive and then download the data securely when they reach their destination.

Verticals and the channel
Besides government, Jefferies says that the IronKey is popular with financial companies. It's also popular with manufacturing companies that have intellectual property to protect. Regulation of health care and other industries, he believes, will make more businesses eager to purchase the world's most secure flash drive.

The channel, Jefferies says, is the area he's focusing on now. "I want to expand our reach and enable partners to sell the IronKey and also sell services with it. We will expose the digital certificate capability and the use of RSA OTP."

He adds that the company is working with open source initiatives as well, such as OpenID and OAuth.

Pricing and availability
The IronKey is available now. The device retails at $80 for a 1 GB drive and $299 for an 8 GB drive.

There are three service levels: Basic, Personal, and Enterprise. With Personal, users get use of the private TOR network free for one year and $24 per year thereafter. With Enterprise, administrators get extra control over devices and a more sophisticated certificate infrastructure.

"I've never seen a security product in this business that people were so passionate about," enthuses Jefferies. "I think it's because it really is so secure."

—End