You
don't need a 100-headed monster to control sensitive data that needs to
be transported from the computer. You just need one Hydra PC. In the
May issue (beginning on pg. 50), we looked at tools to manage the USB
ports on a PC. Among those tools are some encrypted USB thumb drives.
These are great tools as far as they go, but for real industrial
strength protection look into the just released Hydra Privacy Card II
from Spyrus.
This
product addresses a variety of difficult scenarios. For example,
suppose that you have an employee who wants to steal your customer
database and offer it to a competitor as an inducement to hire them.
With typical memory sticks, the rogue employee simply downloads the
database onto the memory stick and takes it home. If it is encrypted,
even if the memory stick is confiscated it won’t reveal its contents.
However, with Hydra, unless specifically authorized, the device won’t
work in any computer except the one for which it was set up. The data
is useless anywhere, except where it is supposed to be.
Hydra is
a high security, one GB data encryption tool that runs from the USB
port on your computer. However, besides being able to transport data
securely, Hydra can work with other Spyrus products to provide such
services as strong authentication and support for smart cards and
digital certificates. Hydra is not just a USB memory stick. It is a
fully functional computer, only slightly larger than a typical memory
stick, that executes strong encryption at a variety of levels.
First,
since it is an active device, Hydra requires a powered USB port. The
device stores encrypted data on a standard one GB miniSD or miniSDHC
memory card. The card can be removed from the Hydra easily and replaced
with another for multiple blocks of secure storage. Most important,
however, Hydra can support storage of classified data under U.S.
government standards. Spyrus designed Hydra for validation under FIPS
140-2 Level 3, making it suitable for virtually any commercial
application.
Cryptographically, Hydra supports AES, ECC
(Elliptic Curve Cryptography), SHA-2, SHA-512 and ECC-521. Default key
lengths are ECC P-384, AES-256 and SHA-384.
However, security
controls don’t stop there. Because you can authorize the device
explicitly for the computers on which it is allowed to be used, there
is no fear of losing the Hydra and exposing the data on it. The
pass-phrase, or PIN in Hydra-speak, is never stored on the device or
the computer. When the PIN is set up, it is hashed and
the
encryption key is derived from the hash. When the user enters a PIN,
the process is reversed. The encryption key itself is encrypted on the
Hydra only, providing very strong security.
One very useful
capability of the Hydra is that it not only can encrypt data to the
device, you can use the Hydra to encrypt data to your PC with the same
encryption strength. Without the Hydra in the USB port, your data
cannot be unencrypted. Because the key is stored on the Hydra, even a
stolen PC is not a worry. PINs can be very long and can consist of any
combination of alphanumeric and special characters.
There are
access levels for the user and for the administrator, and the product
comes with a simple admin tool to help set up the Hydra and manage it.
The host authorization code — the code that authorizes the Hydra on
multiple PCs — can be up to 256 characters long.
We tested the
Hydra using a simple set of encryption tests and forensic analysis of
the miniSD card. We tested functionally for residue after ungracefully
removing the Hydra from the USB port, and we exercised each of its
advertised functions. Our conclusion is that if you are storing
sensitive data of any kind — such as personally identifiable
information, as an example — this is an extremely secure way to do it.
The device is physically tamper-resistant and it destroys the
encryption keys after a predetermined number of failed PIN attempts
rendering the data stored on the device unrecoverable.
Since it
separates the encryption device from the computer, and you must
authorize the device explicitly for the computers with which you want
to use it, the Hydra has some advantages over whole disk encryption.
Because it can work with other Spyrus products, full data security
schemes can be devised that fit well in a corporate environment. Spyrus
tells me that they are working on a tool to manage an enterprise full
of Hydras centrally along with all of the usual enterprise management
capabilities for managing encryption across a large organization.
Spyrus claims that Hydra is the "strongest encryption solution
commercially available," and we believe that likely is true.
If you deal with sensitive data, especially on laptops, you need the Hydra.
— Peter Stephenson, with Mike Stephenson
Product: Hydra Privacy Card Series II
Company: Spyrus Inc.
Availability: Now
What it does: USB active data encryptor and storage drive for high-security applications.
What we liked: Very
high security and flexibility at a reasonable price - three-factor
authentication (what you know, what you have and where you are) and
ability to encrypt on the device or on the computer with full
confidence.
What we didn't like: I've got to pick
nits here because this is one of the most useful and well conceived
products I've seen in a long time. However, the form factor is a bit
large and it really needs enterprise-wide management.