An increasing number of business users now carry sophisticated mobile devices capable of word processing, bank account authentication, Web browsing, emailing and numerous other tasks. With an ever-increasing remote workforce, users of these devices are coming to rely on them to calculate numbers in spreadsheets, read sensitive documents and store sensitive data while they're away from the office.
The proliferation of smartphones in enterprise environments, however, brings new risks; namely the potential for sensitive data loss via stolen or lost devices. One way to protect smartphone data is with encryption. As with laptop encryption, products are available that range from built-in operating system capabilities to those provided with enterprise management tools and other third-party software.
Overall, the number of commercial smartphone encryption software products is still small, but it is growing at a rapid clip as more organizations realize what a critical vulnerability these devices can represent. What should organizations consider when evaluating smartphone encryption products? The following is a short list of the most critical factors:
- Cost: Few built-in encryption services are available, and those that are free or inexpensive are usually geared toward individuals rather than enterprise users, providing little to no centralized management or policy capabilities. As that is the case, enterprises should expect to pay a significant amount for these products and should budget accordingly.
- Platform support: Most enterprises standardize with a single smartphone operating system, such as the BlackBerry OS, but have certain users (like executives or sales teams) that use different devices like the Apple iPhone or Windows Mobile devices. Thus, a product that covers multiple platforms is preferable in most cases.
- Policy focus: All organizations have their own unique security needs and policies related to mobile device use and sensitive data protection. Some organizations focus on stronger authentication and passwords, where others may be more concerned with encryption at all times. Still, others will require remote data-wiping capabilities in lieu of other security controls like encryption or authentication. Determining the enterprise's security needs as regards smartphones, and thus its policy focus, both current and in the future, will help organizations choose the product that is right for them.
- Central management: The ability to centrally manage policies for smartphone encryption, as well as monitor the status of each phone's encryption in real time, is often a necessity for enterprises with numerous devices. In addition, logging and reporting -- required for compliance with many different regulations -- are usually only present in enterprise-class management consoles and products. Key management is almost always integrated with each enterprise-level product.
As these devices store and gain access to greater and greater amounts of sensitive data, the need to protect this personal and corporate data becomes even more critical.
Next let's cover the types of smartphone encryption technology in use on today. The first type is built-in smartphone encryption, which resides inside a phone's operating system. Few smartphones have this type of out-of-the-box encryption, even those that do tend to only have limited encryption features.
The most robust smartphone encryption is currently found on smartphones running the Windows Mobile operating system. Windows Mobile allows organizations to enable strong AES 128-bit encryption for protecting email, tasks, calendar information and a user's "My Documents" folder. This same encryption can be enabled to protect all files stored on Secure Digital (SD) cards, which will be unreadable on any other smartphone thereafter.
The most popular business smartphone, the BlackBerry, provides encryption through the BlackBerry Enterprise Server (BES) application (a separate product in its own right). Local files on the smartphone can be encrypted via centrally managed policies (by enabling the Content Protection feature), and authentication passwords to the device are stored securely with AES encryption as well.
The Apple iPhone offers what it describes as "strong hardware encryption," but that's a misnomer. The feature is actually intended to enhance its remote wipe capability, eradicating all data if the device is lost or stolen. The Palm Pre has no built-in encryption with its new WebOS, but those organizations still using the older PalmOS may find some applications available (all add-ons).
Most smartphone encryption technologies come in the form of third-party commercial products. PGP Corp. and Aiko Solutions Ltd. both offer encryption products for Windows Mobile, and PGP supports BlackBerry devices as well. Although immensely popular in the personal consumer market, the Apple iPhone is less prevalent in enterprises due to lack of management and security features, and there are few true enterprise encryption products available for the platform today. Multiple encryption applications, such as Firebox, My Eyes Only and SMobile ContactCrypt are available to users, but all are managed locally. One product that does allow encryption and centralized management of iPhones, Windows Mobile and Palm devices is GuardianEdge Technologies Inc.'s Smartphone Protection, which integrates with Microsoft Exchange, allows for SD card encryption and provides additional security features like smartphone firewalls and application control as well.
Smartphone encryption is applicable for all smartphone users, whether in an enterprise setting or with a standalone device. As these devices store and gain access to greater and greater amounts of sensitive data, the need to protect this personal and corporate data becomes even more critical. By encrypting these devices, enterprises can take one step closer to enhancing mobile smartphone security by making sure their data is safe regardless of whether a phone is lost or stolen. The big question now is: How do you get started?
The first thing organizations should do when evaluating smartphone encryption options is to ascertain what their needs really are, and this should be founded in policy. Ensure policies exist that explicitly outline the types of data users can send, receive and store on smartphone platforms, and ensure a consistent type (and possibly model) of smartphone is clearly defined as the organization's standard. Once these policies are in place, the next step is to assess data classification policies and acceptable use of smartphones in light of how the organization's users work day-to-day, and what their data protection needs will ultimately be. Determine which users have smartphones, what types of data these users have access to, and then perform a risk assessment to determine the possible ways that this data could ultimately be breached or lost.
Undergoing this process should help organizations narrow down which sorts of products would be best for them. Other considerations, such as cost, ease of implementation, and security and compliance requirements, can help winnow the list of choices down further. In general, any organization that determines it needs smartphone encryption should ensure that strong, trusted encryption is possible (such as AES 128-bit or greater), centralized management and policy control is available, and that the data can be wiped if the smartphone is lost or stolen.
About the author:
Dave Shackleford is director of risk and compliance and acting director of security assessments at Sword and Shield Enterprise Security Inc., and is a certified SANS instructor. He was formerly CSO at Configuresoft Inc. and CTO at the Center for Internet Security, and has worked as a security architect, analyst, and manager for several Fortune 500 companies. In addition to these roles, he has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.
This was first published in June 2010