2012 Data Encryption Survey: Progress And Pain

As broken protocols, cloud, mobility, and key management woes add to IT's load, the best bet is to get self-sufficient.
Starbucks Is The New Corner Office

To some extent, most organizations have put in place an "access from anywhere" computing program. Respondents to our 2009 survey saw this coming and were scrambling to figure out how to secure data; most opted for full-disk encryption, or FDE, for laptops and blocked access to the corporate network from other mobile devices.

Then, in January 2010, just a few short months after we issued our report, the world changed. Apple released the iPad, and rejoicing ensued. Now, almost 80% of respondents to our InformationWeek Mobile Device Management and Security Survey say tablets will grow in importance. In response, we got one of the largest jumps in our encryption survey, with 79% of 2012 respondents saying they either have mobile device encryption in place now or will within 12 to 24 months, compared with 64% in 2009. To go along with the surge in mobile device growth, email encryption has also continued to gain traction, as 81% of respondents using encryption now use or plan to use email encryption, compared with 72% in 2009. Rounding out the top three is the Trusted Platform Module, used by laptops to implement FDE. That's important, because for all the light and noise around smartphones and tablets and ultrabooks, most real work is still done on laptops. No one is writing a legal brief or marketing plan on a tablet, much less an iPhone. If you haven't yet implemented FDE, note that the negatives to locking down hard disks--mainly reduced performance and problems troubleshooting issues--have disappeared over the past three years, thanks to the advent of self-encrypting drives. (We discuss SEDs in depth in our full report, which is available free.)

As for other mobile devices, the devil is in the platform details when it comes to encryption.

Apple iOS 4 provides file-based encryption using a key generated uniquely per phone. The caveat is that a device password must be in place for data protection to work, and the app itself has to opt in and leverage the data protection APIs, otherwise the data is recoverable via a jail break or rooting. By default, only iOS Mail and a few other apps, like GoodReader and Box, incorporate these APIs. If you support devices using iOS 4 or higher and require that a passcode be configured, and the device is jailbroken or rooted, data protected by the data protection APIs is not readable unless the passcode is provided to the app.

As for Android, only versions higher than 2.3.3 support data encryption, and that is only for flash storage. Prior to version 2.3.3, it was up to the handset manufacturer to provide encryption--a losing proposition for IT. When it comes to Android tablets, Honeycomb (Android 3.0) provides built-in FDE and operates similarly to laptop-based FDE, but it has problems, specifically around performance and with USB mounting of a device that is unlocked. Also, like Apple, Android provides libraries that developers can employ to encrypt data, but it's left to the app creator to use these libraries. History has shown they don't always implement properly; for example, in 2010, Citibank's iPhone app improperly stored account numbers and other sensitive data on the device in clear text.

The clear winner when it comes to on-device encryption is BlackBerry. Research In Motion implements centralized management through BlackBerry Enterprise Server and provides APIs, automatic encryption of user data, and full-device encryption. BlackBerry's end-to-end encryption and content protection is so well implemented, it's approved for use by NATO to send classified information.

Remember, no matter what platform you use, a passcode to lock the device is a must. If your users don't lock their devices, encryption doesn't matter because the mobile OS will decrypt data automatically. This is why we recommend a mobile device management system, to force that pesky passcode to stay enabled.

Encryption now and in the future

Michael A. Davis is the CEO of Savid Technologies, a technology and security consulting firm based in Chicago. Write to us at [email protected]