Jul 29 2014

How One Agency Takes Windows To Go

Bootable thumb drives help users keep their work and personal data separate.

When Barry West, CIO of the Pension Benefit Guaranty Corp. (PBGC), began evaluating mobile technologies that could make agency employees happier and more efficient, he started with a simple goal: Let them carry one notebook instead of two. Like many agency CIOs, West was looking for ways to launch a bring-your-own-device (BYOD) deployment, but he had security concerns.

“Some users were continually going back and forth from personal emails to government communications, sending email and files back and forth,” he says. “We wanted to come up with a solution where we could compartmentalize people’s personal files away from those of the corporation.”

Barry West, CIO of the Pension Benefit Guaranty Corp.

But could he make it happen on a single mobile computer?

PBGC may have found a solution in Microsoft Windows To Go, a fully manageable, enterprise operating system image installed on a bootable, certified USB drive. A user inserts the drive into any USB port of any system to create a secure instance of the agency’s computing environment. West calls Windows To Go, a feature of Windows 8.1 Enterprise licensed under Microsoft Software Assurance, “the first viable solution we found.”

Secure Windows Wherever

Windows To Go gives government agencies a new option for supporting mobile workers without compromising information security. With a secure, agency-managed OS loaded on a fully encrypted thumb drive and connected to a user’s computer or notebook, the host system’s local OS and hard drive are completely cut off from professional work. The OS acts like an agency-issued system, allowing users to log on, use their applications and access the enterprise remotely via a virtual private network client.

Complete segregation of work data is possible — and critical. “The last thing you want to do in government is take a personal device to your lab for investigation, or at the very worst destroy it if there’s an indication that classified information has accidentally been leaked,” says Luke Berndt, program manager in the Department of Homeland Security’s Science and Technology Directorate.

Today, PBGC is testing a small deployment of Windows To Go devices. “We’re taking this slowly because it’s so new, but it’s been very successful,” West notes. “We’re six months into the deployment, and the users are at home, on the road, up on Capitol Hill, always traveling and giving presentations.”

Because it doesn’t require new computers, Windows To Go can be deployed easily and at a reasonable cost. The most important step is selecting the best USB thumb drive for the job.

“Choosing the right drive size and the right combination of applications is key,” West says, noting that most Windows To Go–compatible drives have 32-, 64- or 128-gigabyte capacities. Because the core OS takes up much of the space, reserving enough room for applications and data is vital. Vendors such as Imation, Kingston, Spyrus and Western Digital all sell Windows To Go–certified drives.

West says there have been no performance issues with PBGC’s pilot. “In fact, the OS performance has been better than on standard hard drive–based systems,” he says.

However, Jason Fossen, a principal security consultant at Dallas-based Enclave Consulting, says anyone pondering a Windows To Go deployment in the near future should think through the choice between USB 2.0 versus USB 3.0 interfaces.

“Given USB 3.0’s much better data transfer rates, ideally you’d deploy USB 3.0 ports with USB 3.0 flash drives because the raw speed would translate into user happiness and acceptance,” Fossen says. “Of course, many tablets only have USB 2.0 interfaces today. So for the near term, making a premium USB 3.0 purchase could add to the deployment costs, but as USB 3.0 proliferates next year, it will become a nonissue.”

Managing Security Concerns

The biggest issues around any BYOD deployment involve security. The idea of hundreds of workers doing confidential work on their personal systems can frighten even the bravest IT guru. Matt Sarrel, executive director of technical marketing for IT consulting firm Sarrel Group, says Microsoft has it covered.

“Microsoft provides BitLocker encryption for Windows To Go USB drives,” he says. “It encrypts data on the USB drive using 128-bit AES encryption, and beyond that, most of the drives are encrypted at 256-bit.”


The number of possible key combinations that 256-bit AES encryption generates, requiring billions and billions of years to crack using brute force techniques

SOURCE: “How secure is AES against brute force attacks?” (EE Times, May 7, 2012)

The Homeland Security Research Projects Agency was an early proponent of secure, bootable USB drives and provided funding to early developers. The U.S. Government Configuration Baseline was used as the basis for Windows To Go’s security configuration, so the OS complies with the Federal Information Processing Standard 140 and 140-2 requirements for full-disk encryption.

What if a USB drive is lost or stolen? “Beyond our standard asset management protocols, the device would be disabled and removed from the domain,” West says. “And the full-disk encryption prevents the device from being accessed by unauthorized users.”

Using the right tools for the right job is what matters most, says Berndt. “I’m excited about where mobility is going. There are some real productivity gains to be made” — starting, perhaps, with the benefit of carrying one notebook instead of two.

aaa 1