IronKey has announced enhancements to its S200 product,
along with a new lower cost model called the D200, and
a software update v2.02 for exising customers of the IronKey
S100 products.
The IronKey S200 and D200 products contain a next generation
chipset including an updated IronKey Cryptochip capable of
AES 256 bit encryption. The S200 and D200 products have
achieved FIPS 140-2 Level 3 validation. The new chipset is
able to support sizes up to 16 GB drive size in the S200
model and 32 GB in the D200 model.
Also in the S200 and D200 are firmware and software
enhancements frequently requested by customers including the
following:
o The ability to convert an IronKey Basic drive to an
IronKey Enteprise drive
o A Device Reset feature for IronKey Basic S200/D200s as an
alternative to Self-Destruct
o Device initialization for Mac computers and a Mac Control
Panel
o Support for network policies and Silver Bullet Services on
Intel-based Macs
o Proxy support for Microsoft ISA
o Device serial number integration with the USB 2.0 name
field
o Identity Manager Backup and Restore Improvements
o Section 508 compliance
The software update for existing customers of IronKey S100
products gives existing IronKeys all of the
above features, except for Basic Drive Reset, 256 bit
encryption and 16/32 GB sizes, which are only
available through the 200 series hardware.
General Questions
Are there any differences in capability between the S200
and D200 devices?
The features of the S200 and the D200 drive are functionally
the same. They both use the AES 256
Cryptochip and run the same software.
Why did IronKey create different hardware in the 200
Series devices?
Different customers have different needs. The D200 is
focused on the market for general purpose mobility while
guaranteeing compliance and data security. For these
customers the main requirements are usually compliance, data
security and lower cost of ownership.
Other IronKey customers have identified specialized use
cases or applications for USB drives that
require unique performance attributes. These use cases
include running a number of portable
applications from the drive or using the drive to host a
virtualized desktop environment. These types of
use put heavier demands on the drive and there is a need for
a premium product to meet those needs.
This premium product is the S200.
Who should use D200 drives and who should use S200
drives?
The S200 and D200 are positioned as follows:
|
D200 |
S200 |
|
Target: Office workers who use their drive for
file transfers of large amounts of data to share
with others, bring work home, or perform periodic
backups. |
Target:
Power Users who place heavy daily
backup demands on their drives, use the drive for
portability of a virtual desktop, or regular use of
the on-board applications such as the secure
browser. |
|
Value Proposition: The IronKey D200 is a high
quality Secure USB, which guarantees compliance with
regulatory and company security policy, and offers a
superior value due to its competitive price point,
managability, and lower Total Cost of Ownership.
|
Value
Proposition: The IronKey S200 is the
premium offering which offers guaranteed
encryption with superior performance and
durability. The S200 is highly recommended
for any write-intensive portable applications or
a virtualized desktop environment.
|
Positioning Highlights
– Ruggedized, waterproof and tamper resistant
– AES 256 with FIPS 140-2 Level 3 validation
– Self-defending against physical, malware
and password attacks
– Enforces policy and guarantees compliance
– Available as managed solution
– Unique policy enforcement, usability and field
maintainability |
Positioning
Highlights
– Ruggedized, waterproof and tamper resistant
– Market leading performance and longevity
– Robust platform for consolidating mobile data
security and business continuity
– AES 256 with FIPS 140-2 Level 3 validation
– Self-defending against physical, malware and
password attacks
– Enforces policy and guarantees compliance
– Available as managed solution
– Unique policy enforcement, usability and field
maintainability
|
What are the specific technical differences in the
products and how does it impact users?
The difference is the the D200 uses Mulitple Level Cell
(MLC) memory and the S200 uses Single Level
Cell (SLC) memory. This gives them different speed and
lifespan attributes.
The speed ratios between them vary with the size of the
drive but to generalize, the SLC memory drive
is faster by about 20% at the larger size drives (8 and 16
MB). The difference is greater in the smaller
size drives.
SLC memory also lasts longer than MLC memory as measured by
the number of write operations on
the drive. While MLC memory is adequate for most casual
uses, the SLC lifespan is estimated at 7 to
10 times longer than MLC and is recommended for uses and
applications related to business continuity.
When would I recommend purchase of the S200 device?
Again, the performance advantages of the S200 are very
desirable for “power users” or for
organizations that are consolidating data security and
business continuity applications on a single
device. IronKey recommends the use of an S200 drive for any
application or use cases that are
intensive in read and write file operations. This would
include a drive that is used for a daily backup
from a PC hard disk and/or a drive that is used to run a
Virtual Machine application. In addition, any
user who makes frequent use of the IronKey secure browser,
or a self-installed portable application, will
appreciate the performance difference. These applications
read, write or cache files frequently and will
definitely benefit from both the performance and lifespan
advantages of the S200.
I just bought my S100 IronKey and now you have a new
model. Can I trade it in for that model?
No, while IronKey has a generous product warranty we do not
have a hardware return policy in
exchange for new products.
However, note that all IronKeys are updateable and there
will be a software update version 2.02
available that provides nearly all of the S200 software
features. This includes:
o The ability to convert an IronKey Basic device to an
IronKey Enteprise device
o Device initialization for Mac computers and a Mac Control
Panel
o Support for network policies and Silver Bullet Services on
Intel-based Macs
o Proxy support for Microsoft ISA
o Device serial number integration with the USB 2.0 name
field
o Identity Manager Backup and Restore Improvements
o Section 508 compliance
Also note that the current S100 products are actually
designed for FIPS 140-2 Level 3 compliance – we
just chose not to submit the S100 for validation so we could
focus on the S200.
The only things you don’t get by updating an S100 drive are
Device Reset for Basic and 256 bit
encryption – but IronKey 128 bit encryption is very strong
AES CBC mode encryption.
Convert and Reset Capabilities
How does a customer procedurally convert a Basic device
to an Enteprise device?
At a summary level there are 3 essential steps to convert
Basic to Enteprise:
1. A customer needs to purchase and activate either an
online IronKey Enterprise account service
or the IronKey Enterprise Server and the appropriate license
count if they do not already own
these products.
2. The customer needs to create Enterprise user device
accounts for the Basic devices which will
be converted.
3. The device(s) must be reinitialized using an activation
code that is created during step # 2
above. This step is accomplished through the device Control
Panel settings
Note that new S200 and D200 devices will come with
convertability built into them. Existing customers
of S100 drives will first need to update their drives to
software version 2.02 to make them convertible.
Can I convert an IronKey Personal drive to an Enteprise
drive?
No, at this time the feature is only available for IronKey
Basic devices. Generally, IronKey personal
drives have not been purchased by the type of user who
requires Enterprise management, although we
may provide this capability in the future if warranted by
the market.
What does the IronKey Device Reset feature do?
This is a new feature for IronKey Basic devices that gives
customers a choice for how they wish to
protect their data in the event the incorrect password is
entered into the drive 10 consecutive times.
This situation can be an indicator that the device is under
attack by someone that has stolen a drive or
found a lost device.
The default behavior of an IronKey Basic device is to
“self-destruct” to protect the data from an
assumed attack if the incorrect password is entered 10
consecutive times. However, we have
frequently been asked by customer to provide a second
choice, that protects the data but allows the
device to be reused. This choice is Basic Reset, which will
destroy the user encryption keys, but
enable the device to be reinitialized and reused as if it’s
new.
How is Drive Reset for Basic different from the IronKey
Recommision feature?
The Recommission feature is an Enterprise feature associated
with a managed device.
Recomissioning is performed by the administrator, generally
to reassigned a device to another user, but
could also be used to wipe the data and reset the drive to
it’s original state for the same user. The
Recomission feature works in concert with other policy
features for Enteprise drives such as device
disabling, password recovery and configurable password
settings. As a whole, the Enterprise features
give customers a lot of flexibility in how they handle and
support events related to password threats and
problems.
In contrast, IronKey Basic drives are not managed, and have
traditionally not had a configurable reset
option. However, we have gotten so many requests, we have
added the feature. Since Basic drives do
not have remote administration the capability is configured
directly on the drive.
Is Device Reset less secure as as an attack defense
compared to Self-destruct?
Technically, it is less secure, because the Self-Destruct
feature provides the ultimate protection against
decryption by permanently disabling the device Cryptochip.
In Reset, the IronKey encryption keys are
completely zeroized to make the drive incapable of
decryption but the chip is still functional. Customers
who choose to reset rather than destroy drives do so because
they wish to re-use them.
As the World’s Most Secure Flash Drive, IronKeys default to
self-destruct. But for some customers re-usability is a
higher priority and thus we have provided a choice.
How is Device Reset enabled?
When a drive is first initialized the user is given a choice
to enable Device Reset on the same screen where they create
their password. It can also be enabled or disabled anytime
during the devices active life through the Control Panel
settings. Otherwise, the default configuration is for
self-destruct as had
previously been the only option.
FIPS 140-2 Level 3
What is the market significance of the S200 and FIPS 140-2
Level 3 validation?
This is a very important issue for the Government market. We
anticipate that this will allow us to
participate in bids for government business for which we are
currently not participating.
For private industry, Level 3 validation is further evidence
of our market leadership and validation of our
tagline, the World’s most Secure Flash Drive. This is yet
another IronKey competitive advantage.
Other competitors have 256 bit encryption – does that
mean they FIPS 140-2 Level 3 too?
No, definitely not. In fact, 256 bit encryption is not a
Level 3 requirement although it is an important
feature enhancement. There are actually 4 requirements to
Level 3 that exceed Level 2. These are:
– Level 3 requires capabilities to actively detect and
prevent threats to cryptographic modules as
opposed to merely showing evidence of tampering
– Level 3 requires identity based authentication mechanisms
to enhance Level 2’s role-based methods
– A trusted path between the cryptographic module and the
system providing the data to encrypt or decrypt
– Level 3 requires the device to support general purpose
operating systems that are certified for Common Criteria EAL
3 or an alternative trusted operating system
Only FIPS 140-2, Level 3 validated devices meet all of those
criteria.
Are IronKey S100 products Level 3 validated?
No. The currently shipping versions of the S100 drives are
actually designed for Level 3 compliance
but IronKey did not submit them for testing at this level.
This was purely a business decision as we
wanted to focus our efforts on the new IronKey 200 series
products.
Note there is an important distinction between a vendor
claiming they are Level 3 compliant and having
that validated. Being validated means you have actually put
your claims to the test and National
Institute of Standards (NIST) has tested your product
against an objective set of criteria. We have done
that for our 200 series of products and our validation
proves we passed the test.
Updated Mac Support
I thought IronKey already supported Macintosh computers?
Yes, we have for a long time. However, while previous
IronKey versions had Mac encryption capabilities equivalent
to IronKey Basic on Windows, the drive had to be activated
and configured on a Windows computer. Likewise, since the
Mac did not have an IronKey Control Panel, changing the
password or other settings also had to be done on a Windows
computer. Now, IronKey software v2.02 adds the capability to
activate on a Mac, gives the Mac a Control Panel, and also
enhances Mac enterprise management.
In summary, IronKey 1.4 Basic for Mac has essentially become
the same as IronKey 1.4 Basic for
Windows, except that the Secure Browser and Secure Backup
applications are not available. Note that
all new Mac OS feature require an Intel-based Mac running
10.4 or higher. See the appendix for a
complete list of the functional differences between IronKey
support for Macs and Windows computers.
Can IronKey Enterprise policies be enforced on a
Macintosh computer?
Yes, with qualifications, IronKey Enterprise policies can
be enforced on a Mac computer. A summary of
the supported policies is as follows:
Password policies
Lost and found policy
Whether user can have an online my.ironkey.com account
Password backup policy
Check for device up policy
Time-out AutoLock policy
Access controls and Silver Bullet Services
Qualifications: IronKey software application policies
are not on the list because onboard IronKey
software tools such as Secure Backup are not available on a
Mac. See the appendix at the end of the
document for a complete matrix summary of differences
between Mac and Windows.
Can I update my IronKey on a Macintosh computer?
No, this is not supported. The update must be performed on a
Windows computer. Then, the updated
software will work on a Mac.
Miscellaneous Features
What Benefit is provided by integrating the device serial
number with the USB 2.0 name field?
There are several benefits. By integrating into the IronKey
serial number in the USB 2.0 standard field
name the serial number is available to Windows and other
operating systems. Thus, it can be used for
security whitelisting by End Point security products and for
inventory tracking by asset management
products. For large-scale deployments, the IronKey admin
console information (which now includes the
serial number) can be exported to a CSV file format for
electronic transfer to another system.
Second, within IronKey software, the serial number appears
in the device Control Panel and is
automatically associated with the user that activates the
device in the IronKey Management Console.
Finally, the device serial number is visible to the user in
the Control Panel interface, which can be
useful when contacting a help desk for assistance.
How does the device time-out policy work, and why is it
useful?
For IronKey Basic or Personal, a user-controlled setting
automatically locks a device if it is inactive for a
specified period. It’s useful in cases where a user leaves
the IronKey unattended and unlocked. The
device will lock itself, even if it’s being used on a
computer that isn’t connected to the network. For
IronKey Enterprise, this setting can be controlled by
policy.
Why do I need the Autolock on time-out feature if my
computer locks itself after time-out?
Not all computers are configured to time-out, and you might
use your IronKey on a computer that
doesn’t lock itself. So the time-out feature ensures that
you IronKey will lock itself after the time-out
period if you walk away from the computer.
What is 508 Compliance, and what has been added to
IronKey 1.4 to achieve 508 Compliance?
Section 508 is part of a 1998 U.S. Federal law that requires
Federal agencies' electronic and
information technology to be accessible to people with
disabilities.
As part of IronKey’s mission to make security products
accessible to everyone, we have worked to
ensure that the IronKey is Section 508 compliant. The
IronKey Control Panel and Secure Backup are
accessible by keyboard navigation and screen reader software
for people with disabilities.
This is an important enhancement for bidding government
contracts and for private industry that does
business with government. Some state governments and non-U.S.
national government agencies
require Section 508 compliant products as well.
Windows vs Mac Feature Comparisons
|
