SPYRUS Windows To Go live drives turn personal computers, including many Macs (service provided by SPYRUS), into compliant enterprise Windows desktops-with or without connectivity. SPYRUS Windows To Go drives boot the OS and completely bypass the host computer’s hard drive. There is no impact on the host computer and no footprint left behind when the drive is shut down.
Windows To Go offers workers new ways to stay fully productive and connected. For starters, it makes it easier to support BYOD policies for both employees as well as for Contractors and Teleworkers. Windows To Go is even used in Computer Replacement decisions as a way to extend life and performance of computers without the full cost of replacement.
In addition, the unparalleled hardware based security features specifically found in the flagship SPYRUS Windows To Go live drives allow many government and enterprise organizations to provide new solutions for Secure Remote Access, Secure Internet Browsing, and Secure Cloud Computing Access and Storage.
Regardless of your application, there is a SPYRUS Windows To Go solution for your needs that can empower your workforce while improving security and saving money in the process.
Use Cases & Features
To meet the wide range of requirements being faced in today’s mobile computing environment, SPYRUS provides four different models of its Microsoft certified Windows To Go (WTG) drives. Each of these models is built on the same robust hardware platform and is available in a variety of memory sizes ranging from 32GB up to 512 GB; and they all take advantage of SSD memory to provide high performance over a USB 3.0 interface.
A summary of the SPYRUS Certified Windows To Go Products and Features is show below for Worksafe Pro™:
XTS-AES 256 Hardware Encryption
SPYRUS WorkSafe Pro and Secure Portable Workplace drives provide some of the strongest military-grade hardware encryption commercially available for full disk encryption to protect data at rest.
Sector-based full disk encryption is based on XTS-AES 256 encryption (NIST SP800-38E).The on-board hardware security infrastructure includes AES CBC, ECDH, ECDSA, ECC P-384, and SHA-384, which together make up the US Government’s Suite B cryptography, part of its cryptographic modernization program. All data encryption is performed in the tamper-resistant, epoxy-coated cryptographic hardware. The access password is never stored on the device, in software, or on a host computer, even in encrypted or hashed form. This safeguards the keys, passwords, and encrypted data from physical attack at all times, whether or not the WorkSafe Pro or Secure Portable Workplace is connected to a host computer.
Layered Data Security
All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth encryption. BitLocker passwords are protected in the tamper proof FIPS 140-2 Level 3 encrypted hardware memory partition.
SPYRUS encrypted Windows To Go drives defend the integrity of the operating environment even when booting on compromised systems. SPYRUS patented technology enforces on-the-fly hardware pre-boot integrity validation to enable secure boot while maintaining some of the fastest boot speeds in the industry. WorkSafe Pro and Secure Portable Workplace perform extensive boot-sequence validations:
Power-on self-tests validate HW integrity and operations, FW integrity, and cryptographic operations. Any evidence of tampering shuts down boot sequence.
UEFI computers may validate the SPYRUS Toughboot™ loader to provide seamless secure preboot authentication.The SPYRUS Toughboot loader is signed by Microsoft and meets all Secure Boot criteria for driver and OS loader digital signatures. Toughboot requires a password and authenticates users in HW over secure channel before beginning load sequence.
Toughboot then decrypts the Windows To Go partition and performs a cryptographic integrity check on the Windows boot loader.
After passing all tests, the operating system boots. Windows then authenticates user accounts, and users can log in to their Windows accounts.
Built In PKI Smart Card
WorkSafe and WorkSafe Pro are the only Microsoft-certified Windows To Go drives that deliver the identity and rooted authentication capabilities of a full smart card. With WorkSafe, the FIPS 140-2 Level 3/EAL 5+ validated Rosetta Micro hardware security module embedded in all SPYRUS Windows To Go drives can be used as a traditional smartcard token for two factor authentication and other smartcard based PKI security services in your enterprise environment.
When not booted, WorkSafe serves as a readerless USB 3.0 smart card (CCID) that enables you to use your RSA and/or elliptic curve ECDSA digital certificates with any compatible computer.
WorkSafe supports PKCS #11 and Microsoft Minidriver crypto standards. The SPYRUS Minidriver Token Utility for managing the WorkSafe smart card, certificates, and passwords is automatically downloaded from Windows Update when the drive is first booted.
Keys are always generated in hardware on the embedded FIPS 140-2 Level 3 validated Rosetta Micro hardware security controller. To ensure the highest level of security, Private keys are never exported.
Administrators can reset, restore, revoke, and manage user certificates on the embedded Rosetta smart card with standard smart card management systems such as Microsoft Forefront Identity Manager and with the included SPYRUS Minidriver Token Utility.
When WorkSafe is booted, your digital ID is automatically available for PKI digital certificate functions such as:
- Smart card logon
- File signature or encryption
- Signed/encrypted email
- VPN authentication
- Web authentication
Data Vault Read/Write
Data Vault read/write partition can store changed user files even when Reset Write Protection Read-Only mode is enabled. You can also configure separate BitLocker encryption for the Data Vault and use separate passwords for each instance of BitLocker or the same BitLocker password for both the drive and the Data Vault. All SPYRUS Windows To Go drives can be configured with a Data Vault partition during provisioning.
Read Only Option
The Read Only option prevents retention of malware and other unauthorized downloads by resetting all changes to data, OS, and application files (except files in a Data Vault) when the user shuts down the drive. In Read Only mode, your operating system, applications, and data files are completely protected against alteration or infection from outside sources. Use a Read Only Windows To Go drive at an airport kiosk, over WiFi at the coffee shop, or on an untrusted home computer without worry.
SPYRUS Enterprise Management System – Device Management
All SPYRUS Windows To Go drives can be managed by an enterprise with the SPYRUS Enterprise Management System (SEMS™) for mobile device management (MDM). SEMS features include remote device disable and destroy functions, remote password reset, policy enforcement, transaction auditing, and more.
The SPYRUS Enterprise Management System (SEMS) provides secure lifecycle management on enterprise domains for USB devices. SEMS-managed drives must have the SEMS client software (separate order, requires licensed server software) installed and be joined to a SEMS domain.
Remotely disabled drives can later be cost-effectively reprovisioned and redeployed.
All SPYRUS Windows To Go drives can be configured with BitLocker software encryption to protect some or all drive partitions and enabling a second layer of Defense-In-Depth on SPYRUS hardware encrypting drives. BitLocker passwords are protected in the SPYRUS tamper proof FIPS140-2 Level 3 encrypted hardware memory partition.
» Download Data Sheet
The Anatomy of the SPYRUS Secured Endpoint Device
A detailed 3D animation of the SPYRUS endpoint device architecture, including features and benefits.
SPYRUS and Information Security Service
A explanatory summary of ISS and SPYRUS security products with examples of physical device durability.