Encrypting mobile data on devices should be at the top of IT’s priority list. With the right data encryption techniques, IT can prevent sensitive enterprise data from being compromised should a mobile device be lost or stolen.
How encryption works
Encryption scrambles the data stored on a device so unauthorized users can’t read that data, and hackers who intercept wireless communications won’t be able to read encrypted data transmitted between mobile devices.
During the encryption process, a special type of algorithm called a cipher makes text unintelligible to anyone who doesn’t hold the key. The key is a piece of code that interprets, or decrypts, the encrypted data. Most of the time, users need only provide the correct username and password to access the encrypted mobile data. On some devices, users might have to configure the settings that enable encryption themselves, but the actual encrypting and decrypting processes happen behind the scenes.
IT has to tackle mobile data encryption from two angles: data on devices and data transmitted to and from those devices. A number of data encryption techniques exist, but management challenges remain. With so many different kinds of devices in the enterprise, IT may struggle to find a mobile data encryption strategy that will work for every device and every user.
Data encryption techniques for on-device data
When it comes to on-device encryption, IT’s biggest challenges rest with the devices themselves. Some mobile operating systems give devices the functionality to encrypt some, if not all, on-device data. With other devices, IT must rely on third-party products to manage mobile data encryption.
For example, like most devices that support encryption, Apple iOS 5 devices use the 256-bit Advanced Encryption Standard to automatically encrypt some on-device data. When users enable the Passcode Lock feature, email and application files are also protected. The OS leaves media such as videos and pictures unencrypted, however.
It’s a different story for Android devices. The latest version of the OS offers several Android enterprise features, including on-device encryption (as long as users specifically enable it on their devices). And apps such as WhisperCore make it possible to fully encrypt on-device data on devices running older versions of Android.
Windows Phone 7.5 devices don’t support on-device mobile data encryption, and third-party apps to accommodate this need have been slow in coming.
Not surprisingly, BlackBerry devices provide a full range of data encryption techniques, including USB drive encryption for those models that support removable storage. In fact, users whose mobile devices support removable media should encrypt their USB drives as well as their phones if they plan on storing sensitive mobile data on that device.
Data encryption techniques for transmitted data
IT should also make sure that any sensitive data transmitted between mobile devices and the enterprise is encrypted. That’s no easy task, given the variety of devices employees bring into the enterprise.
When BlackBerry devices dominated the workplace, BlackBerry Enterprise Server made it relatively easy for IT to secure communication between devices and other enterprise systems. But with the proliferation of consumer-oriented smartphones and tablets, the management software and processes once available to the enterprise can no longer keep up.
Research in Motion is attempting to address the issue of cross-platform mobile data security and encryption with BlackBerry Mobile Fusion. This planned mobile device management (MDM) for BlackBerry, iOS and Android devices will support encrypted communications. Exchange ActiveSync also provides management capabilities for multiple mobile platforms and enables encrypted communication among those devices.
Companies such as Symantec, DataMotion and Proofpoint are also working on (or already offer) data encryption techniques for secure communication. Some of this new software provides users with the ability to deliver encrypted messages directly to and from devices. Other options provide a secure gateway for data transmission. As an alternative, organizations may also want to consider virtual private networks (VPNs) to secure communications between mobile devices and the network.
Mobile data encryption and management challenges
Ideally, your organization should be able to encrypt both on-device and transmitted mobile data. Many MDM programs are moving in this direction, but initially, you might find you’ll have to take a piecemeal approach to addressing encryption-related issues. Whatever data encryption techniques you choose, no sensitive data should be left unprotected.
More on data encryption techniques
Data Protection Security School
The ins and outs of database encryption
Choosing smartphone encryption software for mobile smartphone security
Smartphone encryption, authentication ease mobile management
If an organization supports a variety of mobile devices -- different manufacturers, different operating systems, etc. -- IT must take each device’s encryption capabilities into account and use them to their fullest potential. Yet because of these differences, managing all of these devices isn’t easy.
Consider an MDM plan to control mobile device security. Sophos Mobile Control, for example, is an MDM utility that lets administrators turn on the built-in security features of the devices they manage, including iOS, Android, BlackBerry and Windows Mobile 6 devices.
Another option is to keep secure data off mobile devices altogether. For instance, cloud storage services can host applications and data in a secured, centralized location. And virtual desktops provide a mobile app delivery method that does not store data locally, but they pose other problems, especially around usability. Without some sort of MDM or centralized management system, you’ll have to manually verify on-device mobile data encryption -- or trust your users to take the precautions necessary to secure those devices themselves.
This was first published in February 2012