Encryption on the Go, Part 1
A conscientious employee will alert IT when a mobile device containing sensitive data is lost. IT can then do a remote wipe and rest easy. But what happens when an employee doesn't realize it's been lost for hours or days? The info is left floating in the breeze, and that's when the decision to encrypt sensitive data really pays off.
05/30/12 5:00 AM PT
The growth of the bring-your-own-device (BYOD) trend, in which employees use their personal devices in the workplace, is proving to be a huge headache for IT.
Often underfunded, understaffed and overworked, IT now has to cope with a plethora of different devices running different operating systems -- or different versions of an operating system. These devices often contain sensitive enterprise material and are basically not secured.
That has led to a flood of vendors offering mobile device management (MDM) and mobile security products. These will let corporations enforce policies, remotely wipe devices and control access to sensitive corporate information on devices.
But what if a device is lost and the owner doesn't even realize it for hours? How can you locate a device or wipe it if you don't even know it's lost? And what if the employee doesn't report the loss because the device is a personal rather than a corporate one?
"The mere fact that the owner of the device is not the organization itself or an entity that has met compliance requirements may give chief privacy officers and legal staff serious cause for concern," Stephen Cobb, a security evangelist at ESET, told TechNewsWorld. Further, "77 percent of employees never reported their devices lost, and 160,000 portable devices are left in taxis in Chicago every year."
"The primary enterprise app that BYOD employees want on their smartphone is corporate email," Dan Shey, a practice director at ABI Research, told TechNewsWorld. One of the "biggest concerns" with that is that more corporate communications, and possibly data, are leaving the workplace. "At a minimum, smartphones need password protection, but activating encryption on the device is even better."
Providing security on mobile devices "was cited as one of the top priorities for IT security professionals for 2012" in McAfee's State of Security report published in March, Ratinder Ahuja, chief technology officer and vice president of mobile, network, cloud and content at McAfee, told TechNewsWorld. The company surveyed nearly 500 companies with 1,000 or more employees worldwide.
When to Encrypt
Mobile devices should be encrypted "wherever highly sensitive data are found on the device," Tom Wills, managing director of Singapore-based consultants Secure Strategies, told TechNewsWorld.
Such data includes the power-on and screensaver password, the SIM card, passwords to open apps or certain functions within apps such as logging into an e-commerce retailer account, confidential email, instant messages, SMS messages, and confidential data and medical files.
"The more sensitive and valuable the data, the greater the need for stronger encryption," Wills said.
Many enterprises take a risk management approach to security, but this shouldn't be used when deciding whether or not to encrypt data, Wills warned.
Types of Encryption
Enterprises can opt to encrypt applications or for hardware encryption.
For example, Enlocked offers an app that secures email in transit through a simple plug-in. It works with popular email systems and runs on PCs, Macs, iPads, iPhones and Android smartphones. Users can secure individual messages. The company has announced plans to offer an enterprise-level version.
However, software encryption is CPU-intensive and tends to slow applications down, Secure Strategies' Wills pointed out.
Hardware encryption is another option. "The nice thing about hardware-based encryption is the performance," Randy Abrams, an independent security consultant, told TechNewsWorld. However, "there is no universal hardware-based encryption protocol for the myriad of devices out there."
On the other hand, application-level encryption is portable "and allows for flexibility in providing different levels of encryption for different needs," Abrams pointed out.
Taking Encryption Further
Essentially, only the newer mobile devices in the market offer hardware-level encryption, Xuxian Jiang, chief scientist at NQ Mobile, told TechNewsWorld. Both iPhones and iPads running iOS 4.0 or later offer hardware-level encryption but earlier versions of the OS do not. Android devices running Honeycomb or Ice Cream Sandwich also support hardware-level encryption.
As currently implemented, however, weaknesses in both Android and iOS "make application-level encryption preferable when IT is developing corporate apps," ESET's Cobb said.
"NQ Mobile is currently exploring the effectiveness of different encryption approaches for mobile devices," Jiang said. Meanwhile, "the major mobile software platforms are shifting towards making encryption available, and the underlying device hardware is becoming powerful enough to warrant widespread encryption."
Organizations "are going to have to encrypt sensitive data transmitted to and from mobile devices, and data stored on those devices," ESET's Cobb remarked. "Courts may well find, if not now then before too long, that failure to encrypt falls short of a reasonable standard of due care."
Tailor Encryption to Your Needs
Before implementing encryption on all mobile devices in the enterprise, it's best to think through what's needed and where.
The encryption schema should match the mission of the organization and the role of the mobile device within that structure, ESET security researcher Cameron Camp told TechNewsWorld. For example, the salesforce may need encryption of traffic and files, while employees with mobile access to critical intellectual property "would need more advanced protections like fewer failed passwords before the device auto-wipes the data, remote wipe by IT over the air, and GPS-based tracking."
Organizations should start by defining their needs, or they will "end up trying to find solutions for the wrong problem," consultant Abrams said. Once an organization understands its topology, it can implement appropriate access control. Then assessing security needs for the rest of the data "leaves more tightly defined requirements that solutions can be properly aligned to."
Stay tuned for "Encryption on the Go, Part 2."