designsoliman - Fotolia

If mobile remote wipe isn't an option, will selective wipe do?

Remote wipe isn't always an option when it comes to securing enterprise BYOD use. Learn how selective wipe and enterprise wipe technology can help erase corporate data on lost devices without compromising personal data.

Many employees are hesitant to allow mobile remote wipe functionality on their personal devices. I heard about selective wipe feature for Microsoft Outlook that wipes the app but not the entire device. Is this a better option for employee-owned devices? Will it prevent sensitive data from being infiltrated if a device is stolen?

One of the big challenges for enterprises looking to embrace BYOD is keeping company data separate and secure without impinging on a device's usability and their employees' right to privacy. However, lost or stolen BYOD devices can put corporate data at risk if there is no way to remotely delete sensitive data and accounts from the device. The ability to activate a mobile remote wipe -- whereby a network administrator or device owner sends a command to a device to delete data -- has been around for a while, but the command often wipes all data on the device, including data on any storage cards it may be using. While this heavy-handed protection can ensure corporate data doesn't fall into the wrong hands, it results in the device owner's data, photos, music and so on, being destroyed as well, which is why many administrators and employees are often reluctant to remote wipe a lost device.

One approach to resolving this problem is the use of containers to create a clear division between corporate mobile apps and the data associated with them and a user's own apps and data. The goal of containerization is to isolate an application to prevent malware, hackers, system resources or other applications from interacting with it and any of its sensitive information. Containers also allow administrators to not only enforce corporate security policies such as authentication, encryption and cut-and-paste restrictions, but also to remote wipe just the data held in the container. Container technology can be integral to the operating system -- such as Samsung's Knox smartphone or the BlackBerry 10, a separate application or part of a mobile device management product. Some companies such as MobileIron, Citrix Systems Inc. and AirWatch LLC, for example, offer a selective wipe and an enterprise-wide wipe, as well as a full device wipe.

Since containers may not be a viable option for many organizations, Microsoft's move to enable administrators to remotely wipe the Outlook app for iOS and Android is very welcome. It is a selective app-level wipe, not a device wipe; corporate email, calendar, contacts and files are removed, but a user's personal email accounts and information stay intact. The selective wipe also gets rid of data stored in Outlook's cloud components. On Android devices, the new version of Outlook will enforce screen lock rules. It will also enforce Office 365 and Exchange policies regarding password length and complexity requirements as well as the number of allowable screen-unlock attempts before wiping the phone. Devices that do not support these security settings will not be able to connect to an account. Password enforcement works differently on Android devices than iOS devices due to the controls made available by Google and Apple. On iOS devices, Outlook will check to make sure a passcode is properly set before a user can use the app. As Outlook for iOS only runs on iOS 8.0 or later, all the data Outlook stores locally on the device is encrypted regardless of the Office 365 or Exchange policy. Microsoft also claims that admin-led remote wipes now happen within seconds as opposed to taking a few minutes.

A remote wipe function that administrators and employees are happy with will certainly reduce the chances of sensitive company data from being compromised should a device be lost or stolen. However, note that this app only allows Outlook data to be wiped, additional measures should be taken to ensure other types of data can also be wiped should the need arise.

BYOD policies should include a comprehensive procedure for handling a lost or stolen phone. A remote wipe or selective wipe function is of no use unless employees know how to contact and identify themselves to the administrators -- without using their mobile device -- who are authorized to issue a remote wipe command. Administrators should also test the procedure to ensure it works and they are comfortable with how to issue the remote wipe command in a timely fashion.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out more about remote wipe and erasing mobile phone data

This was last published in August 2015

Dig Deeper on BYOD and mobile device security best practices