SanDisk requires no introduction as the world's largest supplier of innovative flash memory data storage products. With their eye turned to information security, SanDisk has kindly supplied their Cruzer Enterprise USB drive for review.
The proliferation of USB drives cannot be denied. From the early days when my first USB drive in 2000 from IBM was a whopping 8 Mb in size and expensive, the USB drive now is a commodity that is given away freely at shows. Large capacity drives are readily and cheapily available.
USB drives have in particular found their way into the workplace due to their versatility and convenience. It is this very ease of use that makes them a security nightmare for IT professionals. Whilst I have yet to lose one personally, I have known many people who had and a few with of those had organisation sensitive documents on them.
What is the Cruzer Enterprise?
The USB flash drive with mandatory security is the tag line of the SanDisk Cruzer Enterprise. The key specifications are:
* hardware based 256-bit AES encryption
* Mandatory security of all files (100% private partition)
* Strong password
* Lockdown mode after a set number of incorrect password attempts
* Centrally manageable (using SanDisk CMC software, sold separately)
The Cruzer Enterprise feels reasonably well made with a matte black finish that feels a little rubbery but is actually plastic. There is no flex when you try to crush it in your hand, although when I did a quick torsion test there was a very definite crack that emanated from somewhere within the unit. The removable cap is nothing too special, it clips into place but will dislodge without a great deal of effort. The cap has a clip if you are inclined to clip it to your pocket, and a loop for a lanyard or keychain on the drive end of the Cruzer. A single blue LED provides indication of activity.
The initial setup of the Cruzer Enterprise is simple and straightforward. You accept the licence agreement, choose your password and hint and it is ready to go. The password setup screen will prompt "The password must be 6 to 16 characters long and contain at least three of the following: upper case letters, lower case letters, digits and special characters."
SanDisk claims a transfer speed of 24 Mb/s read and 20 Mb/s write. My basic testing shows the drive seems reasonably fast at transferring files. Naturally single large files will perform much better than multiple small files.
From an end user point of view, the Cruzer Enterprise is just another USB thumb drive. Once the correct password is entered, it is transparent to the user except for the appearance of two drive letters (one for the built in security launcher).
The Cruzer Enterprise is supported on Microsoft Windows 2000 SP4 or higher, XP SP1 or higher, Vista and 2003 Server. Additionally support has been added in early December via firmware update for Mac OS X support. It is a great sign that SanDisk is serious about tackling information security.
The centrally managed the Cruzer Enterprise in an organisation, the CMC (Central Management and Control) software is available separately. The CMC has on paper a comprehensive enterprise grade functionality in managing the USB drives. More information is available here.
Whilst the SanDisk Cruzer Enterprise was simple to get going, there were a few items I felt should have been made more clear. Firstly the password policy is not displayed until you have attempted a password that does not meet the requirements. Secondly there was no complexity meter when you are entering your password. Thirdly it is not clearly indicated anywhere that you have 10 attempts before the device becomes permanently disabled. The device however will tell you when you have 4 attempts or less left. Lastly there appears to be no timeout mechanism to automatically lock the device after an period of idle time.
I applaud the steps SanDisk has taken with the Cruzer Enterprise. Not only have they created an USB drive with enforced security, they have created a centralised management tool for these drives. It is a tool that IT professionals can seriously consider introducing into a workplace, but it is not the be all and end all of USB drive security.
Unlike a gadget such as a Blackberry which most people will only carry one of, it is far easier to have multiple USB drives in comparison. Security is a broad term to use and an difficult animal to tame. Issuing SanDisk Cruzer Enterprise to your staff does not stop them from buying their own non-secure drives to bypass security. The Cruzer Enterprise however can be a tool to be deployed in conjunction with system policies, user policies as well as a cultural change in thinking of an organisation.
The SanDisk Cruzer Enterprise is available in 1, 2, 4 and 8 Gb capacities with prices ranging from AUD$80 for the 1 Gb version. Yes there are far cheaper "simple" USB drives, but consider this an investment in your information security armoury.