Mar 29 2011

Bringing Security to Smartphones

Try these tips to ensure your company’s mobile data is not compromised.

Where is your sensitive business data right now? Chances are a good portion of it is on the road or in the skies, in the hands of mobile workers using smartphones to access corporate data while away from the office.

The sales force might be entering credit card orders from a customer site, the marketing staff might be accessing confidential product information at the print shop, and the CEO might be e-mailing a board member about a potential acquisition from the coffee shop on the corner.

Ask yourself how confident you are that all of these activities are following security best practices. Will you be able to retain control of the data if one of these devices is lost or stolen?

Fortunately, technology exists to help protect the confidentiality of sensitive information that is stored and transmitted while using smartphones and other mobile computing devices.

Encryption technology can protect data from unauthorized disclosure; passcodes and screen-locking features can prevent casual access to a device by an unauthorized user; and management tools can help you apply these policies in a consistent, reliable fashion.

Encrypting Data at Rest

One of the first concerns on the mind of anyone responsible for smartphone security management is, what happens if one of my users loses their device? The easiest way to protect the data stored on smartphones from this type of accidental disclosure is to implement strong encryption on the device itself.

Encryption technology uses mathematical algorithms to render the data stored on a device unreadable without the proper encryption key. This provides a safeguard against even a determined hacker who extracts storage media from the smartphone and attempts to access it directly.

The two major smartphone platforms, BlackBerry’s BlackBerry OS and Apple's iOS, both support strong encryption using the government’s Advanced Encryption Standard (AES) with a 256-bit encryption key.

This is certain to provide the level of security you need to put your mind at rest if a user’s device is lost or stolen. While the thief might gain a smartphone, your loss will be limited to the cost of the device and not the data stored on it.

Encrypting Data in Transit

Once the data stored on the device is protected, turn your attention to the secure transmission of data to and from the device. This is actually a somewhat complex undertaking with a basic underlying principle: Make sure that all of the data sent back and forth to the smartphone is encrypted. The methods used to obtain that encryption might vary depending upon the specific device and use case. Some possibilities include:

  • Requiring encrypted connections to the messaging servers supporting the devices: This can be configured on the server by denying unencrypted connection attempts. Users with incorrectly configured smartphones will figure out the problem quickly enough when they can’t retrieve their e-mail.
  • Using Secure Sockets Layer–based applications to transfer data: If users need to send business data through smartphone applications, vet those applications to ensure that they use strong encryption for the transmission of data. This can be done on an application-by-application basis, as each developer might have configured their application differently.
  • Leveraging your organization's Virtual Private Network: Users are already familiar with the use of VPNs to connect mobile computers back to the office network. Most are not aware that both BlackBerry and Apple devices have built-in VPN clients that can likely encrypt all traffic being sent back to an organization. Consider requiring VPN connections for access to particularly sensitive data.

Remembering the Basics

While implementing strong encryption technology is important, it's no substitute for the basic security measures that users should already be required to follow. Notably, all devices should have a passcode to protect them from unauthorized access.

All the encryption in the world is useless if a would-be data thief can simply pick up a device and start using it. It’s alarming to know that many users, if left on their own, fail to take advantage of passcode protection because of the inconvenience of entering the passcode each time they use the device.

Both BlackBerrys and iPhones react in a similar fashion when the wrong passcode is entered: They implement lengthier delays between each unsuccessful attempt, and eventually wipe the contents of the device. This foils the brute-force attempts of an attacker determined to try all 10,000 possible four-digit passcodes.

Administrators can choose to customize the exact requirements and device responses to meet the needs of their organization. For example, an organization with particularly sensitive information might lower the default device wipe threshold from 10 to four unsuccessful attempts. Just be wary of children who gain access to a device left out at home and accidentally wipe Mom’s or Dad’s smartphone. Be sure to have a strong data backup mechanism in place before implementing any type of automated wipe.

Scaling Management to the Enterprise

At this point, you might think all these security controls sound like great ideas, but how can you possibly ensure that every smartphone in your organization is properly configured? After all, it takes only one misconfigured device to jeopardize the security of an entire organization.

Fortunately, management tools exist that allow centralized security administration of phones.

Administrators of BlackBerry devices can use the BlackBerry Enterprise Server (BES) to mandate and monitor the security settings of their smartphones. Similarly, the iPhone allows administrators to control device security settings through Microsoft Exchange policies. Both platforms allow the configuration of specific security requirements as well as remotely wiping devices that are lost or stolen.

This capability also can prove useful if a former employee refuses to return a device belonging to the organization. In addition to disabling the user's account, it’s possible to remotely purge the smartphone of an organization’s data.

While these factors might seem daunting to security professionals, they also offer tremendous opportunities to increase the productivity of the mobile workforce. Proactive security managers can leverage encryption technology to protect data stored or transmitted on these devices and use centralized administration tools to ensure that policies are applied consistently and effectively to all devices throughout the enterprise.