Federal Computer Week had an interesting story about an Inspector General report that recommended removable hard drives for the Justice Department instead of two laptops, each with different policies.
It is actually one of the strangest audit reports I’ve ever seen – one with prescriptive guidance and a recommendation for cost effectiveness. On the one hand, I applaud the effort, but (unfortunately) it really shouldn’t be coming from an audit group. It is a straight conflict of interest for future audits. (That’s why I eventually moved out of audit and into security architecture).
Regarding the solution itself, I was initially somewhat positive about it, but after further thought believe it to be a lot of work that will lead to confusion from employees. I don’t like the idea of individuals mentally "switching" back and forth between security policies, and the removable hard drive ends up being a physical facade for logical security anyway. Here is an excerpt to the report that demonstrates this:
In order to enhance security of the classified information when using removable hard drives, system administrators must define user profiles within the operating system for classified portable computers. For example, IT security personnel at the National Reconnaissance Office and National Security Agency told us that a multi-user operating system, such as Microsoft Windows 2000 or XP, allows system administrators to define computer users’ profiles and therefore restrict access to the computer’s input/output ports. Specifically, the access to the unclassified drive when the removable classified hard drive is in use can be controlled by the definition of the user’s profile. In addition, they also said that users’ profiles can allow access to Internet connections when the classified hard drive is not in use.
This sounds to me like a second hard drive mounted on an existing system (though there is some text earlier that seems to indicate a separate system). In that case, the weakest policy sets the level of security for the system, and we’d have classified data being run on unclassified machines. Therefore, you need a strong security policy to begin with and an implementation of logical controls.
The only "physical" aspect to this recommendation is the container aspect; there is no crypto chips involved. There would certainly be a benefit to being able to lock the physical drive in a safe, but I believe the increased risk of mounting it on a system that shares strong and weak policies would outweigh this benefit. Better to increase the overall logical security around the programs and the data in the end.