Problem solve Get help with specific problems with your technologies, process and projects.

Rating Windows 7 mobile device encryption

Is it true that Windows 7 mobile device encryption isn’t on-board? How does that affect the phones’ security? Expert Michael Cobb looks at how mobile encryption is vital to enterprise security.

I heard that Windows 7 Mobile does not have on-board encryption. Is that true? What are the implications? Should we proceed or delay enterprise deployment as a result?

Let me start by looking at what is meant by on-board encryption. In its truest sense, it refers to encryption being provided by hardware-based technology. Seagate Technology LLC and LaCie hard drives, for example, perform all cryptographic operations and key management within the drive itself. The main advantage of hardware-based encryption over software-based encryption is that a device can't be started without proper authentication.

On-board software-based encryption refers to products that incorporate a cryptographic module that is part of the operating system. Each BlackBerry, for example, contains the BlackBerry Cryptographic Kernel, a software module that provides the cryptographic functionality required for basic operation of the device, and which meets the requirements of FIPS 140-2 Security Level 1.

With these two forms of encryption, trust is place either in the on-board security chip, as in the iPhone, or in the phone's operating system's built-in encryption to perform all cryptographic operations. Smartphones, running OSes such as Android and Windows 7 mobile rely on cryptographic libraries to provide encryption, and so you are relying on the developer of the application to correctly implement and deliver data security. This is complicated by the fact that the OS doesn’t include framework support for storing passwords securely and key management.

Mobile 7 does provide various security controls, including SSL-secured connections, password complexity enforcement, remote wipe and reset on multiple failed login attempts, idle timeouts and Bluetooth connection control, all of which can be managed via Exchange ActiveSync (AES) mailbox policy settings. Mobile 7 applications also run in a sandboxed process, isolated from other apps and with no direct access to the underlying operating system's file system. Each application's data is stored in Isolated Storage, but you are relying on the application to encrypt it, not the phone.

The key security issue when looking at smartphones is how you mitigate the risk of a lost, stolen or compromised phone. Data encryption is imperative for any mobile device and on-board encryption makes it so much easier to enforce. Furthermore, if a device is lost or stolen and you can confirm remote destruction of the data, you limit further unauthorized use and downstream liability.

If your organization runs a Microsoft-based infrastructure, then mobile device security controls are implemented via Exchange AES. Although an Enterprise 2007 or 2010 Exchange client access license (CAL) provides a richer set of controls than a standard CAL, Mobile 7 only supports a subset of the 40 available mailbox policies, so you need to thoroughly review which controls you need and whether or not they can be implemented in your environment. Also be aware that you don't have to use Mobile 7 to use AES, but again, you would need to check which technical controls natively available in Microsoft Exchange work with other compatible AES client phones.

Finally, even phones that have on-board encryption, such as the iPhone, have been hacked, so you need to complete a risk assessment to decide which types of data your users can store on their smartphones; even when taking encryption into account, as of yet, there is no low-cost, perfectly secure phone.

This was last published in August 2011

Dig Deeper on BYOD and mobile device security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Turn on the SIM lock enter the correct password the data becomes readable True Crypt  download and install the software, you can choose to either create an encrypted folder or folders on your PC the entire Hard Drive itself can be encrypted create an encrypted folder then each time you use your computer and before you access the files within that specific folder, TrueCrypt prompts you for your encryption password. Enter the password and the folder looks and behaves like any other folder you can work with documents, add and delete files, etcAdd your comment...