Tech Insight: Managing Mobile Mayhem
Enterprise options for encrypting and wiping mobile devices and portable storage
Adam Ely- Contributing Editor
Dark Reading, Dark Reading
December 16, 2011
With the decrease in size and cost of portable devices, we can finally carry our entire life everywhere we go. When traveling to and from the office, I have 320 GB of storage in my laptop, 2 TB external storage in my bag, and 16 GB in my phone: I’m carrying both personal and work documents and emails that I must encrypt alongside other information that is of little value to thieves, but that I wouldn’t want anyone to grab.
Enterprises have an increasingly difficult challenge as users bring their own devices -- and continue to lose laptops -- and as portable storage becomes even cheaper and more common.
Encryption and remote wiping of portable devices is often discussed for mobile phones and popular tablets using mobile device management (MDM) solutions. These solutions can be expensive and might not support all of the devices within an enterprise, leaving us to search for encryption or remote-wipe solutions for all of the devices we have floating around.
We know data requiring protection will be stored on portable devices and a protection solution is required. Short of preventing the data from being stored on the device, encryption is generally the best method to ensure data is secure even if stolen. Current versions of OSX include FileVault and Windows offers BitLocker as native file-encryption solutions. In mixed environments, these solutions mean supporting multiple solutions or not supporting older operating systems, and each could lack features required by the organization found in commercial disk-encryption utilities, such as Symantec’s PGP Whole Disk Encryption or CheckPoint’s Full Disk Encryption.
If the native operating system or third-party commercial solutions aren’t for you, then check outTrueCrypt's open-source offering.
Each of these solutions can also be used to encrypt portable storage devices connected to the system -- though none will work for your mobile phone. Mobile phone encryption solutions are almost exclusive to the manufacturer’s built-in features. Recent versions of the iPhone and Android operating systems offer disk encryption, but neither offers per-file or data element -- such as a phone number -- encryption. Third-party applications exist to encrypt phone book entries, photos, and other files, but none have emerged as leaders or are widely utilized.
While whole-disk encryption provides the most comprehensive protection, it might be overkill or problematic, depending on OS version and conflicting software. File-based encryption can be easier to deploy, but it makes encryption policies harder to enforce. TrueCrypt, PGP, and GPG are the most common solutions for file-based encryption. Some organizations lacking these tools resort to WinZip or other similar products that support AES-256 encryption and the use of complex passphrases. This is a last resort and far less manageable, and it doesn’t provide the same level of security of true purpose-built encryption solutions.
When devices are lost or stolen, we might want to ensure the data is removed and take no chances that encryption or authentication are defeated. Remote wiping of data is well-supported in enterprise MDM solutions for Android and iOS mobile phones, and ActiveSync is used to sync and get email on mobile devices while ensuring some policies are enforced on mobile devices. Purpose-built and MDM solutions provide the ability to push a "wipe" command any time, while ActiveSync and other apps require the device to phone home. The difference and benefits are obvious, but when on a budget we have to take what we can get.
[A recent forensics investigation shows how much data is actually left on discarded smartphones. See Old Smartphones Leave Tons Of Data For Digital Dumpster Divers. ]
Remote wiping of laptops becomes tricky, and that's why encryption is typically a better solution. Fujitsu and HP offer options for encryption and remote wipe capabilities within their laptops. For users of hardware without these advanced security features, there aren’t many solutions. Three common solutions often mentioned are Absolute Software’s Computrace, Prey, and EX05. Prey is the only free solution of the three and differs slightly from the other solutions, but can achieve the same goal.
Remote wiping is even less common for portable storage devices. IronKey offers a solution aptly named Silver Bullet that allows wiping of the supported IronKey USB drives when inserted into a host and decrypted with the password. Conseal Security offers a commercial solution for encrypting and remotely wiping USB and external hard drives -- and it's not tied to a specific specific hardware vendor.
While there aren’t many open-source, free, or cheap solutions for encrypting data, the native or third-party solutions out there work. Mobile phones and tablets are still behind in terms of offerings and support compared to laptops, but with built-in protections and offerings increasing, it is just a matter of time before they are better managed and protected in every organization. Remote wiping of lost devices should be a secondary control due to the lack of solutions and complexity that can quickly arise from supporting various platforms.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.