PGP's primary focus is encrypting and decrypting data using public key directories--either ones that you control or ones that are available to the world. PGP doesn't reinvent the wheel with its own device-specific controls for security functions, such as device and password management, remote wipe, and malicious code control. For complete mobile security, PGP security products must be used in combination with the manufacturer's device management software, such as Microsoft's System Center Mobile Device Manager or Research In Motion's BlackBerry BES Server.
Keep these points in mind when shopping for this type of product. If your company has standardized on one device type, using that manufacturer's management system and PGP's mature asymmetric data cryptography isn't a bad way to go. For heterogeneous environments, however, mastering several manufacturers' device control systems and cryptography may be unwieldy. In these environments, a multiplatform management/cryptography approach, such as that used by Credant, becomes more attractive. Weigh each feature carefully.
The PGP Encryption Platform includes several products that facilitate transparent key lookup when encrypting or decrypting data and use the same cross-platform-compatible file formats. For example, an encrypted file or volume created on a PGP-protected Windows Mobile device can be decrypted on a Windows desktop or Mac running PGP's Whole Disk Encryption product. This was convenient and effective in our tests.
PGP prides itself on keeping a similar look and feel across platforms, so users who learn on one system will likely know what to do on another. Overall, the application hides complex operations from users and features clean, consistent interfaces across platforms.
Where Are Those Keys?
When provisioning, both public and private keys can be downloaded via SSL and unlocked when they reach the device, after which they are cached for ongoing use. When you need to encrypt files for a few recipients, you access Universal Server and download public keys, which are then used to encrypt data. Individual users decrypt using their personal private keys. PGP offers multiple private key distribution and management schemes, depending on your security requirements.
A key component of PGP's overall security architecture is the PGP Universal Server, which is designed to provide key management capabilities to each platform component. Universal Server is the repository where public keys are kept and where usage policies are crafted and deployed. You can use PGP's public key directories instead, but with Universal, you have control over policies and who appears in the directory.
PGP's Windows Mobile version doesn't integrate directly with the device's e-mail application, although PGP says this is on the drawing board. To send files securely, you have to zip them via the PGP application, then attach them to the e-mail. This is a multistep process, but it results in an e-mail message that has a secure attachment but whose body is still in the clear.
We didn't test PGP's Mobile Security for BlackBerry apps, but it's worth mentioning because its features differ significantly from the Windows version in that it comes embedded as part of RIM's operating system on BlackBerrys and need only be activated with a license key.
In contrast to local file storage security, the BlackBerry version aims for secure end-to-end e-mail communications and improves on RIM's S/MIME scheme. After licensing, you point the device to PGP Universal Server, which stores policies used for enforcing crypto behavior. Say, for example, your biotech company develops drugs and must adhere to the Food and Drug Administration Title 21 CFR Part 11 rules for secure electronic transactions. You might set a policy to PGP-encrypt e-mail sent to domains FDA.gov and heartdrugdev.com, your sister company. Whenever you send e-mail to those domains, the BlackBerry looks up each recipient's public key to encrypt the e-mail.