I heard that Windows 7 Mobile does not have on-board encryption. Is that true? What are the implications? Should we proceed or delay enterprise deployment as a result?
Let me start by looking at what is meant by on-board encryption. In its truest sense, it refers to encryption being provided by hardware-based technology. Seagate Technology LLC and LaCie hard drives, for example, perform all cryptographic operations and key management within the drive itself. The main advantage of hardware-based encryption over software-based encryption is that a device can't be started without proper authentication.
On-board software-based encryption refers to products that incorporate a cryptographic module that is part of the operating system. Each BlackBerry, for example, contains the BlackBerry Cryptographic Kernel, a software module that provides the cryptographic functionality required for basic operation of the device, and which meets the requirements of FIPS 140-2 Security Level 1.
With these two forms of encryption, trust is place either in the on-board security chip, as in the iPhone, or in the phone's operating system's built-in encryption to perform all cryptographic operations. Smartphones, running OSes such as Android and Windows 7 mobile rely on cryptographic libraries to provide encryption, and so you are relying on the developer of the application to correctly implement and deliver data security. This is complicated by the fact that the OS doesn’t include framework support for storing passwords securely and key management.
Mobile 7 does provide various security controls, including SSL-secured connections, password complexity enforcement, remote wipe and reset on multiple failed login attempts, idle timeouts and Bluetooth connection control, all of which can be managed via Exchange ActiveSync (AES) mailbox policy settings. Mobile 7 applications also run in a sandboxed process, isolated from other apps and with no direct access to the underlying operating system's file system. Each application's data is stored in Isolated Storage, but you are relying on the application to encrypt it, not the phone.
The key security issue when looking at smartphones is how you mitigate the risk of a lost, stolen or compromised phone. Data encryption is imperative for any mobile device and on-board encryption makes it so much easier to enforce. Furthermore, if a device is lost or stolen and you can confirm remote destruction of the data, you limit further unauthorized use and downstream liability.
If your organization runs a Microsoft-based infrastructure, then mobile device security controls are implemented via Exchange AES. Although an Enterprise 2007 or 2010 Exchange client access license (CAL) provides a richer set of controls than a standard CAL, Mobile 7 only supports a subset of the 40 available mailbox policies, so you need to thoroughly review which controls you need and whether or not they can be implemented in your environment. Also be aware that you don't have to use Mobile 7 to use AES, but again, you would need to check which technical controls natively available in Microsoft Exchange work with other compatible AES client phones.
Finally, even phones that have on-board encryption, such as the iPhone, have been hacked, so you need to complete a risk assessment to decide which types of data your users can store on their smartphones; even when taking encryption into account, as of yet, there is no low-cost, perfectly secure phone.
This was first published in August 2011