A friend asked me about IronKey today and my first recollection was that I stopped by their booth last year at RSA. So I initially responded that far as I could remember, it was just another secure USB storage play. But since he was asking, I figured I would revisit it, especially when he mentioned that Bill Harris is currently their Chairman of the board. He was with Intuit, then PayPal, then pAssmark (yes, that’s the proper spelling, where the “p”, like the security is silent) and sits on a variety of boards. Why does that matter? Bill Harris has been involved in a lot of things that run parallel to my own career over the past decade and he’s found lightning-strikes more than once. Me? No lightning yet <grin>.

So like anyone, I started with the web site and it pretty much confirmed my recollection. I read the most recent article from their PR page and it revealed some interesting details. I won’t recap it, you can go read it at your leisure.

Certainly has some nice functionality, but the price is prohibitive even for me, one of the paranoid and willing to pay to resolve my condition. I’m completely happy carrying Roboform2Go around on a much cheaper finger biometric USB. I further protect the Roboform data encrypted with a second-factor key-file setup using TrueCrypt. Though Roboform touts their use of AES for encrypting their data, big deal, the weakness is still the fact they are at base, reliant on a password from which they generate keys. Me, I’m big into true multi-factor security, you know, some combination of:

  • Something you know (password / passphrase),
  • Something you have (typically a smartcard, but in my case files I use as my TrueCrypt keys on a separate device),
  • Something you are (biometric of choice, in my case my fingerprint(s).

So using my finger biometric USB, with TrueCrypt using key-files from another location and of course my Roboform password, I get all three factors. Purchasing Roboform, my biometric USB and free TrueCrypt comes in well under the $149 Ironkey price for their 4GB. The other benefit of my configuration is that for the same dollars spent on Roboform ($40) and TrueCrypt (free) I can do the same thing using all 80GB of my iPod or at least whatever is left over with my podcasts on the iPod. Sure, in this case I only have two factors, not three, but they are still two solid factors such that anyone stealing or finding my iPod would have no ability to get at the encrypted data (remember the files I use as my TrueCrypt keys are not on the iPod itself). Of course, there may not be many others in the general consumer market likely to be aware of the cheaper, more flexible options and how to use them to construct their own secure portable storage.

Of course, IronKey isn’t the only game in town and at their price, I’m not sure the security advantages are going to be obvious to those comparing IronKey to GuardID’s IDVault. If the purchaser is looking for secured surfing I suspect the IDVault will win, but if secure data storage on a portable device is the goal, IronKey all the way. These devices are actually nothing alike, but will Joe Noob at Best Buy rack understand beyond $40 vs. $150? It all comes down to marketing as usual and Bill Harris does know how to do that, so I’m not betting against him and the IronKey team. I’m just not likely to be one of their customers unless their service offering increases in some interesting direction… say, making CardSpace cards portable and still secure such that IronKey serves as my Identity Provider playing with OpenID while also making OpenID secure.

Yeah, that would have my attention and likely my $$.

Hey Bill or Mr. Harris, if you prefer; I’m available to help with that <grin>!

Originally published March 18, 2008