Keep Mobile Devices Safe With Encryption

Covering Your Rear
If a device with sensitive data goes missing, you need to prove that it really was encrypted. Auditing is key to limiting liability. Fortunately, this is a feature all centrally managed encryption suites offer. SafeBoot even provides audits for encrypted USB flash drives, a boon because the small size of USB drives makes them most likely to be lost. Mobile Armor's File Armor creates self-decrypting archives that are very useful for sharing sensitive files among users or with partners. But the beauty of this product is that when a user attempts to decrypt the archive, the decryption software checks with the management console to verify that access to the archive has not been revoked, and it logs the access.

The ability to force a device to encrypt via policy, and provide logs demonstrating that it was encrypted and had checked into the management console recently, can be the difference between spending a lot of money and corporate goodwill notifying customers that their data was stolen and just eating the cost of a missing laptop.

Policy Police
We've said it before and we'll say it again: Successful security starts with comprehensive policies. This is especially true with mobile encryption. There's no way around the fact that device encryption is inconvenient for users. A policy will help garner support at the executive level, vital to reduce pushback. Your policies should define exactly what data needs to be protected in which circumstances and limit the amount of sensitive data stored on mobile devices, favoring instead secure remote access. Your goal is to prevent someone in unauthorized possession from accessing data. Limiting encryption to this threat profile can greatly simplify the rollout of the encryption system and improve ease of use.

Whenever users must take data with them, it should be the minimum necessary. A business analyst studying customer buying trends doesn't need credit card numbers. Key to compliance: Building the capability into corporate data systems to exclude sensitive data from export or, even better, make it difficult to output to a portable format.

JUST DO SOMETHING

The embarrassment of riches in the mobile encryption market can make the choice of a platform vendor daunting, but the key is to just move forward. Start with the products covered under the General Services Administration contract and look to other vendors to fill gaps or for smaller rollouts.

DEVICE ENCRYPTION

FILE ENCRYPTION

ENCRYPTED USB STORAGE

All About The Form Factor
PDAs and smartphones can be even tougher to encrypt than laptops. First, it's difficult to enter complex passwords--especially special characters--on small keyboards, and multifactor authentication is all but impossible. This could preclude integrating mobile device authentication into the corporate authentication system. The limited processing power of small devices also means the extra computation required for encryption may cause them to slow down noticeably. And finally, the always-on nature of smartphones means care must to be taken so encryption doesn't break functionality. Encrypting the calendar database seems like a good idea, for example, but if the alarm notifier can't read appointments because the password hasn't been entered, it can't remind its owner of meetings.

Then there's portable USB storage. We like SafeBoot's new line of hardware-encrypted USB drives that require no software, instead relying on a biometric fingerprint reader to provide decryption keys. These drives also are manageable through SafeBoot's Management Center, which can handle password changes, key recovery, even device lockout.

If supporting users outside the office already isn't hard enough, now you're giving them an additional password to forget. You'll need to provide methods to help users in the field unlock their devices; most enterprise-class products support some form of key recovery. For example, PGP Whole Disk Encryption solves this problem by escrowing a single-use password on the management server. If a user forgets his password, the help desk can read a 32-digit string of characters or send it via an SMS message. Once the user enters the recovery token and boots the laptop, the system requests a password change, the recovery token is invalidated, and a new one is sent to the server for next time.

This capability also is crucial for situations in which you need access to a laptop's data but the user no longer works for the company. Some IT shops even use the recovery token as an audited way to grant the help desk access to a laptop brought in for service, while others with less stringent accountability create a separate encryption passphrase that's shared among help desk technicians for this purpose.