Windows To Go WorkSafe Pro
The milspec hardened WorkSafe Pro is the best practice administrative workstation device that ensures security, portability and durability. With a form factor that is 25 timed smaller than a laptop and a price point that is one third the cost, the encrypted WorkSafe Pro SSD drive securely boots into a host computer via a USB 3.0 interface, bypassing the host computer’s hard drive and security threats. This process provides a secure, isolated, hardened instance of the company’s standard Windows image for use with activities requiring escalated privilege. Built with hardware based encryption, an embedded FIPS certified smart card, and a rugged, tamper protected chassis, the WorkSafe Pro secures the endpoint where important credentials are often compromised. Leveraging the integrated PKI based smart card as a part of a high assurance, auditable multi-factor authentication process, the device ensures that an authorized individual is granted privileged access.
- Purpose built high assurance environment – following audit standards like NIST 800, PCI, and ISO 27001, activities that allow different security or risk levels should not co-exist in the same environment. The WorkSafe Pro used as a PAW isolates sensitive transactions to a portable, high security device that can also be configured for secure remote access.
- By enabling a read-only mode, the device can allow temporary writes to the drive that are rolled back to a known secure starting point each time the device is restarted. This eliminates undesired changes during its use.
- By enabling remote device management, audit logging, remote disable and remote wipe capabilities address additional risks.
- Smart Card – the WorkSafe Pro includes an embedded FIPS 140-2 Level 3 certified, tamper-proof smart card. This enables companies to map an Active Directory user to a Worksafe Pro’s smart card, enforcing the “something you have” requirement in a multi-factor authentication. This assures that the network user is who he or she claims to be.
- Secure Boot – The host computer hard drive is bypassed, including threats contained on it. The device’s drive remains encrypted until a boot password is satisfied; the device enforces preboot validation to secure the boot process and it supports UEFI Secure Boot
- Hardware encryption – the entire storage drive is built on military-grade XTS-AES 256 hardware encryption, providing strong operating system, application, and data protection. The hardware encryption requires that a PIN be satisfied in order to gain access to the encrypted information. Leveraging this encryption with computer certificates issued through Active Directory Enterprise Certificate Authority (PKI), the company gains assurance that the machine is authorized as a PAW and has the right to allow a user to connect for privileged access.
- BitLocker encryption – BitLocker software encryption provides an optional, additional layer of security with its own configurable PIN. BitLocker keys are stored in the hardware-encrypted compartment where they remain inaccessible to threat actors.
- Up to Four (4) independent authentication controls – The WorkSafe Pro can be used to require up to four different people to participate in gaining access to a protected system. This helps to enforce separation of duties and strengthen processes around sensitive data access. The four factors that can optionally map to different people are: (i) possessing the device, (ii) satisfying the hardware encryption PIN, (iii) satisfying the BitLocker PIN, (iv) satisfying the smart card PIN.
- Durability – The WorkSafe Pro device, like all the “To Go” family devices deliver the highest physical standards in design and component materials. They meet military specifications for shock, vibration, hot and cold temperatures, and even water immersion. These environmental conditions are generally destructive to laptops and tablets.
- Care-free Portability – You can carry this device as your “PC in your Pocket” and do not have to be careful – it protects itself.
- Cost effective – 1/3 the cost of an average laptop and 25 times smaller.
- Optional management – with the optional remote management enabled, the device access PIN can be remotely reset and the device itself can be audited, disabled, and wiped. The management data is encrypted and access to the management system is governed by smart card based authentication from specific PAW devices assigned to your organization