Wharton Aerospace & Defense Report

Wharton Aerospace & Defense Report: For some 15 months starting in November 2008 the Defense Department had a ban on portable storage devices, mostly pen drives. Today how hard a sell is it for IronKey to get the military to use its pen drives.

David Jevans: Well, the situation in the Department of Defense (DoD) is that Stratcom (U.S. Strategic Command) has released a set of technical requirements which must be met for Defense Department agencies to use removable storage media on any kind of Department of Defense computer. And those technical requirements include everything from hardware based encryption of all data on the devices to remote management capabilities of those devices, and a number of capabilities in the area of preventing malicious software from infecting the devices and then jumping off a device and infecting a DoD computer, and then further infecting other DoD networks.

So products must first of course meet all of those technical requirements. They have to go through certain validation phases. Interestingly, the Stratcom requirements do not create an open door for any vendor to come in and sell their products. In fact every DoD agency must actually take a look at those requirements and then they create their own set of agency specific requirements that have to include those but may actually go even further around security requirements.

So the challenge is really working with each individual agency to see when they will have their tasking orders, which really specify for that particular agency, how they can use the technology and what kind of additional security requirements might be in place. So what we have found at IronKey is that there is a lot of pent up demand for using portable storage devices. However, it really is a project where you work agency-by-agency to make sure that as their requirements come out the products can meet all of those requirements.

Wharton Aerospace & Defense Report: Now let’s step back for a moment. Today’s high bandwidth networks, makes it possible to easily transfer and share large files. Why do we need to use flash drives still?

Jevans: Well there are a number of reasons why people want flash drives and other portable media. Of course, some of it is data sharing, which is the need to move data between computers. There are a number of different use cases there. So one of them would be when data needs to be moved between different kinds of networks, whether they go from a secret network to a classified network to perhaps a computer shared on the Internet.

Now typically those are not going to be network connected machines, so you do need some form of physical removable storage, oftentimes to move data between those types of platforms. Another example is folks who are deployed in theater where they want to be able to carry personal information, photos of their families. Maybe in some cases they are carrying actually mission data, which they will carry with them as they go out in to the battlefield so they will be moving from location to location.

They might be moving from vehicle to vehicle and they need to be able to carry that mission information and then plug it into the vehicles, as they move between vehicles. So those are some of the specific use cases. Another one you will see is, for example, in the National Guard and some of the other services they have got people who will work from home on a computer that is not issued necessarily by the government, but they need to come in and access government networks.

So they may actually have data that they bring home with them that they work on off of the secured flash drive and of course if the device is either lost or stolen, due to hardware encryption, nobody can actually get at the information. And there is another set of use cases where it doesn’t really necessarily involve people carrying data around between computers but it more about how the information is moved into tactical systems. For example, moving mission information into portable missile systems, having mission and GO information inside of mobile vehicles both on the ground and vehicles that fly around, UAVs and other types of vehicles. So there is a broad spectrum of embedded-type solutions where you do need to move either mission information into vehicles or you may actually be having sensor-type devices that are recording large amounts of information. And that data needs to be removed out of those devices and then loaded into network connected systems for analysis.

Wharton Aerospace & Defense Report: You mentioned if they were to get lost that there is encryption and the information will be secure. Now, is it also possible that if someone were to lose it and someone else were to retrieve it and they try to hack into it, after a few times they would just erase all the information that is on the key?

Jevans: Well there are a number of different security capabilities that are built into the IronKey portable storage devices. One of course is always on hardware encryption. So anything that is stored onto the IronKey device is encrypted with AES 256 bit CBC-Mode hardware encryption [Military strength encryption]. There is no way to store unencrypted data on the devices. You don’t need any software or drivers to be installed on computers, and so on a Windows or Mac or Linux machine, any data stored is automatically encrypted and that encryption has been validated to match to the Federal Information Processing Standard (FIPS) 140-2 Level 3 security standards.

When you plug the devices into a computer you have to enter a strong password and there are ways to set policies around how strong that password has to be. For example, how many characters long it is, does it have to have numbers, special characters, upper and lower case that can all be defined on agency-by-agency basis…so you have to enter in the password correctly…you also can set in the hardware, the number of times you are allowed to incorrectly enter the password.

If you exceed that threshold for example if someone finds the device and tries to break into it by guessing the password after a number of times then you can set it. Typically, people set it to 10 times but you can change it to less or more. Then what happens is the device locks itself out. You no longer are able to attempt to enter passwords. The encryption keys are destroyed inside of the device and even all of the encrypted data itself is erased at a hardware level, where you have got many, many layers of protection from encryption, hardware data wipe, key management and key destruction. There is a full set of security capabilities. We call it self destruct. Basically all of the data becomes useless and irrecoverable.

The other capability that the devices have optionally is if someone were to plug them into a computer that was connected to a network. The devices can be configured such that they will actually call back to a server on the network and report back whether they have been self destructed or not. And that allows you in many cases to have an audit functionality where you can know that somebody has tried to plug this in and onto a network enabled computer and you can even issue a remote self destructing command or as the device terminates itself it will report back.

Wharton Aerospace & Defense Report: Just to be clear: IronKey products are ready to use out of the box except for a few of the preferences. People don’t have to work with their IT department to implement most of the security aspects?

Jevans: That’s right, we have a couple of given versions of the product. One is the standalone version that basically requires no work. You just plug it in and enter your password set it up and you are good to go. The other one is a network connected capability where it connects to a server and where the IT department issues you an activation code which you type in the first time you use the device and then it talks to the server and does all the configuration remotely. So the end user doesn’t actually have to do anything it just downloads the policies from the server and configures itself automatically. So both options are available.

Wharton Aerospace & Defense Report: Right, so right now, because of the ban and because of the department-by-department permission to use these kinds of flash drives, how does a computer distinguish between your IronKey USB drive and just someone’s personal drive? Have they set up the system to recognize the difference between the two things?

Jevans: Yes, they have set up the computer systems in many agencies to be able to distinguish between different types of devices that are plugged in. The Host Based Security System—HBSS which is installed on a large number of permanent defense computers does allow a form port control, where, when a product is plugged in to a computer, the product identifies itself with a vendor identification number and a product identification number. And then the HBSS software is able to look on a white list and allow, for example, only IronKey devices to be plugged in and any other device that wasn’t an IronKey, for example, can be blacklisted so that the computer won’t mount it and you can’t use it.

Wharton Aerospace & Defense Report: But there is also a cat and mouse aspect to all of this. Security folks put up new defenses and hackers or people who really want to get at information try to find ways around those. What measures is IronKey taking to try to stay one step ahead of that cat and mouse game?

Jevans: Well you are right, I think security is a cat and mouse game and it is often times a game of catch ups from the bad guys. So, we are first and foremost a security company and so what we think about when we design our products is putting together a threat model and threat landscape, where we can define current existing known security threats. And then we also model out the future of likely security threats. For example targeted attacks where an adversary might decide that they want to attack a given person or a given agency, and they might want to use our product and attack our product specifically and write, for example, malicious code against our products.

So we think through all of those types of scenarios, then we are very clear about in every version of the product what we defend against today and then where our road map is evolving to be more proactive and think about where the bad guys are going over time. And I think what is important is that since we have got folks who have been in the security industry, you know for decades now, and have been tracking malicious activity for 10 to 15 years, we have got a very good idea about how its evolving, in which directions it is evolving, and how the criminal underground and hostile nation states are changing their approaches.

And so with that expertise you do have an ability to design threat models for the future which allows you to be more proactive rather than a simple cat-and-mouse game of reacting, which has been I think the way the security industry has worked for a long time. It is possible now to get a little bit more proactive and think about what the bad guys might be doing two years from now , and then to build in proactive defenses against that. Clearly one of the things that you have to have is an ability to upgrade the products to add security features and patches to firmware and to software, and be able to download and install that remotely over networks so that as you begin to identify your able to actually upgrade devices in the field. That is something that IronKey does very well.

Wharton Aerospace & Defense Report: Now is this a product that has piqued the interest of the DoD and the Homeland Security folks only, or are there other federal agencies also becoming interested, Federal and State agencies?

Jevans: Oh yes, IronKey products are quite widely used throughout the military as well as civilian agencies at the federal and state level and widely through commercial enterprise and private industry as well. So we work with Homeland Security and various directorates inside of the HS (Homeland Security). We work with a number of different healthcare agencies, with many of the civilian and DoD agencies.

Wharton Aerospace & Defense Report: Are you working with defense contractors as well? Since they are often targeted because they are working on some of the most advanced designs of weapon systems as well?

Jevans: We do work quite closely with quite a number of major defense contractors. Some of them use us as customers. They are our customers and they use our products internally for example to protect important information, to protect designs, to protect intellectual property. Some of them have mandated programs, whereby if somebody is travelling internationally with any kind of data of importance to national security, then that information is actually not allowed to be stored on a laptop, that it must be stored on an IronKey. This is in response, I think to one of the automatic hardware encryption on the device and also that we have a lot of measures to protect against malicious software or malware, and of course with a laptop it’s almost impossible to have any guarantees that it is not infected with malware.

Wharton Aerospace & Defense Report: Right, I am sure you have done this kind of market research. I am just trying to get a sense of how large in dollar terms, is the defense market for a product like yours.

Jevans: Well that is interesting because these products are evolving and so the market opportunity is continuing to expand. I see a simple market around secured portable storage and that market is probably in the $50 million to 100 million dollar-a-year-type range. But what is interesting is that these are very intelligent, multifunction, security devices. IronKey is not just a secured storage device.

It’s a whole public key authentication device. It maintains smartcard-type capabilities internally where it manages digital certificates on board. It has intelligent firmware and an operating system. And so what is happening is that they are evolving into a new class of device, where for example we run virtual machines off of the IronKey which creates secure environments on computers, even if there is malicious software on those computers. We are able to create isolated secure environments for remote access.

We even have versions where we have partnered with Lockheed Martin to create bootable ones (devices). Where you plug in IronKey into your computer and reboot and we actually boot into a secured operating system directly off the device. And so when you think about them as secure remote access tools that prevent against malicious software from accessing into government networks even if the end user’s computer is infected. When you think about a portable computing device the market of course is much, much larger, it is in the hundreds of millions of dollar-a-year.

Wharton Aerospace & Defense Report: And is that just a U.S. market, are you looking to expand beyond the US?

Jevans: IronKey is primarily active in North America mostly in the United States. However, we do have a growing presence in Europe. We have been working with the U.K. Ministry of Defense, and with a number of U.K. financial institutions and government agencies.

We have recently been approved for use at NATO and we now have a purchasing agreement by NATO agencies, and members can purchase IronKey for managing secure storage. And we are starting to see also some good market opportunity in Australia and New Zealand, and we have been working with the federal government in those markets, as well as with the commercial customers.

Wharton Aerospace & Defense Report: So in other words, you don’t have to be concerned about any ITAR - International Traffic and Armed Regulations, you know which control the export and import of defense related articles or services to foreign nations. It’s not something that this particular thing has ever fallen under—this IronKey product.

Jevans: Well, that is right. The IronKey products do fall under Department of Commerce Export Restrictions for cryptographic material. And we have been reviewed extensively by the Department of Commerce, and we have a mass market expert approval for the products which means the product can be sold and can be used and transported into most countries in the world.

As far as ITAR requirements, because the products are used for enterprise civilian-type customers and are not specifically designed as military-only products, then the IronKey products do not have to be classified under ITAR.

Wharton Aerospace & Defense Report: Great, last question David. Last year a security firm discovered some sensitive engineering documents about a U.S. Presidential Helicopter and on a computer in Iran, of all places. It contained the engineering and avionics data for the existing Presidential Helicopters, the ones produced by Sikorsky. And a security firm investigated this and they found that the breach occurred outside the office, just as you were stating with the flash drives. And they suggested that in all likelihood a high level executive might have taken the data home on a flash drive, put it into his computer but when he transfers files he inadvertently put it in the shared folder with music and videos, and that happened to be connected over a peer-to-peer network. So people were able to lift that information. I was wondering are there safeguards in place with IronKey—that even if someone has put in the passwords that if they try to put the information into a place that is so vulnerable, that it would just decline. It would not permit that kind of a movement of files?

Jevans: What you are alluding to is really the entire data protection and data management problem which is—how do I control data from being moved from one place to another inside of a computer or between computers. Candidly, it’s a challenge and the issue of course is that you would typically need software installed on every computer that you are going to be using to be able to try to control data.

As you point out, I think in the instance you are talking about, about how the helicopter information found outside of the US—peer-to-peer networks and other kinds of malicious software seem to be responsible for part of that. Our take is a little bit broader, more proactive approach and that is why some of this use of virtualization technology on the devices, can actually create a highly secure container for working with data and carrying it around. And that data is not accessible to the host operating system. So you can’t physically copy, for example, files outside of the virtual machine environment running off the IronKey and copy them onto your computer where they could be accessed by malware. So that is a lot of the entire concept around creating virtualized secured environment on the IronKey devices. It is to isolate your working environment, your software, your data, so that you work directly off the IronKey device and you don’t copy files onto the host computer. It creates just a completely secure bubble if you will.

And then what you can do inside of there is to allow network access back to the corporate or government networks through that VM, through that virtualized environment. And that means the files that are exchanged back and forth can only come into or out of that virtualized environment again. That creates an isolated bubble, where it’s almost like you are back inside the government agency working, because all of the data and all of the net flows are constrained to the policies that the agencies sets up.

That is really taking a more broad-based proactive approach to data protection than simply, for example, trying to protect a person from copying from the flash drive into which folder they might copy into. We basically don’t trust the host computer. And for a variety of reasons it could be misconfigured file-sharing or it could be malware that has got on the computer.

Wharton Aerospace & Defense Report: Anything you’d like to add here?

Jevans: …I appreciate the opportunity to talk about some of the next generation work that is going on around using clients like virtualization to create the secured working environment. We see that as a technology that is getting a lot of excitement and interest throughout the government, and throughout enterprise environments where people are becoming much more sensitized to the fact that it’s difficult to trust the end users computer. Yet people are mobile, they are working from home. We need to allow people to access back into our corporate and government networks, and we need to create the secure isolated environments to prevent against malware or data loss.