For this smartphone security Rolling Review installment, we take a close look at PGP Mobile 9.9.0, part of PGP's PGP Encryption Platform. This suite of products does an impressive job of encrypting data that lives on or moves among devices.

PGP's primary focus is encrypting and decrypting data using public key directories--either ones that you control or ones that are available to the world. PGP doesn't reinvent the wheel with its own device-specific controls for security functions, such as device and password management, remote wipe, and malicious code control. For complete mobile security, PGP security products must be used in combination with the manufacturer's device management software, such as Microsoft's System Center Mobile Device Manager or Research In Motion's BlackBerry BES Server.

Keep these points in mind when shopping for this type of product. If your company has standardized on one device type, using that manufacturer's management system and PGP's mature asymmetric data cryptography isn't a bad way to go. For heterogeneous environments, however, mastering several manufacturers' device control systems and cryptography may be unwieldy. In these environments, a multiplatform management/cryptography approach, such as that used by Credant, becomes more attractive. Weigh each feature carefully.

The PGP Encryption Platform includes several products that facilitate transparent key lookup when encrypting or decrypting data and use the same cross-platform-compatible file formats. For example, an encrypted file or volume created on a PGP-protected Windows Mobile device can be decrypted on a Windows desktop or Mac running PGP's Whole Disk Encryption product. This was convenient and effective in our tests.

PGP prides itself on keeping a similar look and feel across platforms, so users who learn on one system will likely know what to do on another. Overall, the application hides complex operations from users and features clean, consistent interfaces across platforms.

Where Are Those Keys?
When provisioning, both public and private keys can be downloaded via SSL and unlocked when they reach the device, after which they are cached for ongoing use. When you need to encrypt files for a few recipients, you access Universal Server and download public keys, which are then used to encrypt data. Individual users decrypt using their personal private keys. PGP offers multiple private key distribution and management schemes, depending on your security requirements.

Rolling Review

SMARTPHONE SECURITY

Business value
Data stored on smartphones is vulnerable to being lost or stolen. This Rolling Review tests vendors' ability to secure data on devices and platforms.

Reviewed so far
> Trend Micro Mobile Security 5.0 Suite delivers flexible options for locking down mobile devices.

> Credant Mobile Guardian: Provides centrally managed protection for data on many types of devices.

• PGP Mobile
Offers encrypted volume, zipping, and data-wiping, as well as strong end-to-end crypto for BlackBerry.

Still to come
Trust Digital

More about this rolling review >>

PGP Mobile 9.9.0 focuses on file and disk encryption, and gives you the ability to create encrypted volumes and ZIP files comprising one or more clear-text files. These are secured via public keys or a password. To decrypt, you use the corresponding private key or the same password. It's possible to create ZIP file archives with very weak passwords. Users should be trained to always use public keys for ZIP files or volumes--or better yet, turn off the ability to use passwords. Users also must be trained to always mount the crypto volume, then store all files in that volume. When files need to be securely deleted, users should always utilize the included PGP Shredder utility for secure deletion.

A key component of PGP's overall security architecture is the PGP Universal Server, which is designed to provide key management capabilities to each platform component. Universal Server is the repository where public keys are kept and where usage policies are crafted and deployed. You can use PGP's public key directories instead, but with Universal, you have control over policies and who appears in the directory.

PGP's Windows Mobile version doesn't integrate directly with the device's e-mail application, although PGP says this is on the drawing board. To send files securely, you have to zip them via the PGP application, then attach them to the e-mail. This is a multistep process, but it results in an e-mail message that has a secure attachment but whose body is still in the clear.

We didn't test PGP's Mobile Security for BlackBerry apps, but it's worth mentioning because its features differ significantly from the Windows version in that it comes embedded as part of RIM's operating system on BlackBerrys and need only be activated with a license key.

In contrast to local file storage security, the BlackBerry version aims for secure end-to-end e-mail communications and improves on RIM's S/MIME scheme. After licensing, you point the device to PGP Universal Server, which stores policies used for enforcing crypto behavior. Say, for example, your biotech company develops drugs and must adhere to the Food and Drug Administration Title 21 CFR Part 11 rules for secure electronic transactions. You might set a policy to PGP-encrypt e-mail sent to domains FDA.gov and heartdrugdev.com, your sister company. Whenever you send e-mail to those domains, the BlackBerry looks up each recipient's public key to encrypt the e-mail.