Where did it go wrong for the once inoffensive USB memory stick? My guess is sometime in 2003 when the capacity crossed the psychologically-important 1GB threshold. From being a curiosity that had filtered through from enthusiastic consumers, scares over data theft quickly turned them into the latest public enemy of the IT world.

All of a sudden, their days seemed numbered. Company policy: ‘plug one of those into the PCs on my network, and you’re dead,’ was a cry heard more often than not throughout an unhappy corporate land.

Finally, and belatedly, security has caught up with the USB stick, in the form of a new generation of super-secure flash stick, led by SanDisk’s Cruzer Professional and Enterprise.

They look much like their consumer cousins in the same Cruzer range, but these are very different devices. Available in 1GB, 2GB, and 4GB capacities (8GB and 16GB will follow in due course no doubt), the Cruzer Enterprise puts the new developments on the inside of the drive housing in the form of a built-in encryption chip, which speeds all scrambling/unscrambling of data on the fly using 256-bit AES, without the user being aware anything is happening. Performance is claimed to be up to 24Mbits/s on reads and up to 20Mbits/s on writes, though, as expected, we scored somewhat lower.

All the user does is enter the chosen password, which must conform to certain rules by including a range of character types. Having the encryption built in means that the data never exists in its unencrypted form except when it is being worked on and, importantly, data cannot exist on the drive without any encryption being used. The encryption decision is taken away from the user.

Lose the drive and the data is safe; lose the encryption key and the data is history, enforcing a hardware reformat that destroys the data, so good key management is essential. The drive will work with a range of policy-based systems for managing storage, or SanDisk’s own CMC software.

Installation is, however, down to the user, which involves simply plugging in the drive, waiting for the device drivers to load under Windows 2000, XP or Vista, and finally choosing the password. The encrypted portion of the drive defaults to almost the whole capacity of the drive, leaving only a few megabytes free. Get the password wrong a set number of times and the drive reformats automatically as if the install was brand new.

Conclusion
The advantage of the Cruzer Enterprise is its simplicity. It adds no burden to the admin department except key management and data backup. Assuming endpoint software is already in use, this would probably not be onerous, though the step up for non-endpoint houses might be considerable, depending on the numbers of drives involved. It also means mandating that users carry these drives and not their own.

One day all flash drives will be made this way, indeed one day all storage devices will be made this way, which is to say they will employ transparent encryption. In fact, because the Cruzer has been around for about a year, it has been overtaken in the features table by more recent USB flash drives such as Kingston’s Data Traveler Blackbox. The latter is nearly identical to the Cruzer Enterprise, but goes that step further in search of regulatory perfection, meeting the stringent FIPS (Federal Information Processing Standard) 140-2 Level 2 standard. That means not only automatic and mandatory encryption to AES standards, but tamper-proofing and a power-on self test (POST) every time it is plugged in for use. It’s also made of titanium-coated steel if that matters.

That said, the 2Gb Cruzer Enterprise can be had for a very modest £12.99 ($25) on a popular website, compared around £70+ ($140+) for Kingston’s much fancier unit. Strangely, the 4GB version is still several times that price, however. The 2GB SanDisk looks like better value for money relative the security on offer either from its stablemates or rivals.

OUR VERDICT

Admins have a few choices here. 1. Ban the blighters. 2. Don't ban them but make sure people use company drives. 3. Add encryption into that mix, surely the best choice of all. Whatever path is chosen, policies will be needed to manage them, or enforce their absence.