Security features aren’t free. It’s somewhat counter-intuitive, but the right security level for you is the lowest one which
meets your needs. So it’s important for you to identify those needs before you investigate products.
You need to consider security for just about every buying decision. Like everything else, security is a cost/benefit trade-off,
and few types of data need top-of-the-line security features.
In the case of simple devices, like a USB drive, the only practical concern is that the drive could be lost or stolen and the data
on it exposed. The best way to deal with this is by making sure that the drive uses hardware-based encryption and enforces
the use of strong passwords. Another consideration is to set up a device-level central management program. Drilling down
on the Secure USB drives, often times buyers place a high level of importance on the FIPS (Federal Information Processing
Standards) certification level without having a clear understanding what these levels actually mean.
FIPS 140-2 describes security requirements for all types of hardware cryptographic modules. The specification defines four
different security levels which may be met by conforming products, from level one to level four. Level one is the lowest,
and it provides a moderate set of security features. Level four is the highest level, with the most stringent requirements for
self-defense and other security characteristics. Levels two and three provide gradations of these requirements and form
an often appealing middle ground. A For many device types, including USB Flash drives, the effective differences between
levels are small and often irrelevant. Few users need security features which meet level 3 and many don’t need level 2.
Many government contracts require certification of specific FIPS levels, for instance for wireless devices or encrypted hard
drives. But if there is no requirement there may also be no need. In fact, many users’ security needs are satisfied by devices
which don’t even have a FIPS certification. USB drives, for example, may not have a FIPS certification, but may still have
enterprise-grade hardware encryption, central management and hardening against physical tampering.
Let us take a look at what FIPs certification levels are for USB drives. For drives that are certified at level two, if someone tries
to physically open the drive, it will show evidence of tampering. In level three drives, this goes one step further and requires
that the encryption “keys” to unlock the data are destroyed if someone tries to physically get into the drive.
What do you really get with the higher level of FIPS certification? The first thing you’re guaranteed to get is added cost,
if only because the product has required additional in-company and outside testing. You may also pay for high-end
security features that your users do not require. For level 3, your device may have different internal wiring to prevent
someone from using special hardware to try and identify passwords being passed. Is this really a problem you need to
pay extra to prevent? Level 3 will also assure you of a higher level of protection against electromagnetic interference
(EMI) and compatibility. These standards are mostly designed to prevent interference with radio-frequency equipment
like wireless networks and cordless phones, but as a security matter emissions from such devices can sometimes be used
to read the data in use on them; hence the more stringent EMI standard required by higher FIPS levels. Should you pay
anything extra for such protection?
Cracking the data out of even a non-certified encrypted drive is hard, and within the capabilities of few people. It would
take considerable effort, more than anyone would expend to read a drive they found on the street.
Is your data worth that kind of effort? If you are storing high-value, highly-confidential data then perhaps it is. If not, and if
you’re not mandated to buy a certain level of security features, then paying for additional protection is unwarranted.