Q

Rating Windows 7 mobile device encryption

Is it true that Windows 7 mobile device encryption isn’t on-board? How does that affect the phones’ security? Expert Michael Cobb looks at how mobile encryption is vital to enterprise security.

I heard that Windows 7 Mobile does not have on-board encryption. Is that true? What are the implications? Should

we proceed or delay enterprise deployment as a result?

Let me start by looking at what is meant by on-board encryption. In its truest sense, it refers to encryption being provided by hardware-based technology. Seagate Technology LLC and LaCie hard drives, for example, perform all cryptographic operations and key management within the drive itself. The main advantage of hardware-based encryption over software-based encryption is that a device can't be started without proper authentication.

On-board software-based encryption refers to products that incorporate a cryptographic module that is part of the operating system. Each BlackBerry, for example, contains the BlackBerry Cryptographic Kernel, a software module that provides the cryptographic functionality required for basic operation of the device, and which meets the requirements of FIPS 140-2 Security Level 1.

With these two forms of encryption, trust is place either in the on-board security chip, as in the iPhone, or in the phone's operating system's built-in encryption to perform all cryptographic operations. Smartphones, running OSes such as Android and Windows 7 mobile rely on cryptographic libraries to provide encryption, and so you are relying on the developer of the application to correctly implement and deliver data security. This is complicated by the fact that the OS doesn’t include framework support for storing passwords securely and key management.

Mobile 7 does provide various security controls, including SSL-secured connections, password complexity enforcement, remote wipe and reset on multiple failed login attempts, idle timeouts and Bluetooth connection control, all of which can be managed via Exchange ActiveSync (AES) mailbox policy settings. Mobile 7 applications also run in a sandboxed process, isolated from other apps and with no direct access to the underlying operating system's file system. Each application's data is stored in Isolated Storage, but you are relying on the application to encrypt it, not the phone.

The key security issue when looking at smartphones is how you mitigate the risk of a lost, stolen or compromised phone. Data encryption is imperative for any mobile device and on-board encryption makes it so much easier to enforce. Furthermore, if a device is lost or stolen and you can confirm remote destruction of the data, you limit further unauthorized use and downstream liability.

If your organization runs a Microsoft-based infrastructure, then mobile device security controls are implemented via Exchange AES. Although an Enterprise 2007 or 2010 Exchange client access license (CAL) provides a richer set of controls than a standard CAL, Mobile 7 only supports a subset of the 40 available mailbox policies, so you need to thoroughly review which controls you need and whether or not they can be implemented in your environment. Also be aware that you don't have to use Mobile 7 to use AES, but again, you would need to check which technical controls natively available in Microsoft Exchange work with other compatible AES client phones.

Finally, even phones that have on-board encryption, such as the iPhone, have been hacked, so you need to complete a risk assessment to decide which types of data your users can store on their smartphones; even when taking encryption into account, as of yet, there is no low-cost, perfectly secure phone.

This was first published in August 2011

Dig deeper on Handheld and Mobile Device Security Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close