Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:02 PM

Tech Insight: Managing Mobile Mayhem

Enterprise options for encrypting and wiping mobile devices and portable storage

With the decrease in size and cost of portable devices, we can finally carry our entire life everywhere we go. When traveling to and from the office, I have 320 GB of storage in my laptop, 2 TB external storage in my bag, and 16 GB in my phone: I’m carrying both personal and work documents and emails that I must encrypt alongside other information that is of little value to thieves, but that I wouldn’t want anyone to grab.

Enterprises have an increasingly difficult challenge as users bring their own devices -- and continue to lose laptops -- and as portable storage becomes even cheaper and more common.

Encryption and remote wiping of portable devices is often discussed for mobile phones and popular tablets using mobile device management (MDM) solutions. These solutions can be expensive and might not support all of the devices within an enterprise, leaving us to search for encryption or remote-wipe solutions for all of the devices we have floating around.

We know data requiring protection will be stored on portable devices and a protection solution is required. Short of preventing the data from being stored on the device, encryption is generally the best method to ensure data is secure even if stolen. Current versions of OSX include FileVault and Windows offers BitLocker as native file-encryption solutions. In mixed environments, these solutions mean supporting multiple solutions or not supporting older operating systems, and each could lack features required by the organization found in commercial disk-encryption utilities, such as Symantec’s PGP Whole Disk Encryption or CheckPoint’s Full Disk Encryption.

If the native operating system or third-party commercial solutions aren’t for you, then check outTrueCrypt's open-source offering.

Each of these solutions can also be used to encrypt portable storage devices connected to the system -- though none will work for your mobile phone. Mobile phone encryption solutions are almost exclusive to the manufacturer’s built-in features. Recent versions of the iPhone and Android operating systems offer disk encryption, but neither offers per-file or data element -- such as a phone number -- encryption. Third-party applications exist to encrypt phone book entries, photos, and other files, but none have emerged as leaders or are widely utilized.

While whole-disk encryption provides the most comprehensive protection, it might be overkill or problematic, depending on OS version and conflicting software. File-based encryption can be easier to deploy, but it makes encryption policies harder to enforce. TrueCrypt, PGP, and GPG are the most common solutions for file-based encryption. Some organizations lacking these tools resort to WinZip or other similar products that support AES-256 encryption and the use of complex passphrases. This is a last resort and far less manageable, and it doesn’t provide the same level of security of true purpose-built encryption solutions.

When devices are lost or stolen, we might want to ensure the data is removed and take no chances that encryption or authentication are defeated. Remote wiping of data is well-supported in enterprise MDM solutions for Android and iOS mobile phones, and ActiveSync is used to sync and get email on mobile devices while ensuring some policies are enforced on mobile devices. Purpose-built and MDM solutions provide the ability to push a "wipe" command any time, while ActiveSync and other apps require the device to phone home. The difference and benefits are obvious, but when on a budget we have to take what we can get.

[A recent forensics investigation shows how much data is actually left on discarded smartphones. See Old Smartphones Leave Tons Of Data For Digital Dumpster Divers. ]

Remote wiping of laptops becomes tricky, and that's why encryption is typically a better solution. Fujitsu and HP offer options for encryption and remote wipe capabilities within their laptops. For users of hardware without these advanced security features, there aren’t many solutions. Three common solutions often mentioned are Absolute Software’s Computrace, Prey, and EX05. Prey is the only free solution of the three and differs slightly from the other solutions, but can achieve the same goal.

Remote wiping is even less common for portable storage devices. IronKey offers a solution aptly named Silver Bullet that allows wiping of the supported IronKey USB drives when inserted into a host and decrypted with the password. Conseal Security offers a commercial solution for encrypting and remotely wiping USB and external hard drives -- and it's not tied to a specific specific hardware vendor.

While there aren’t many open-source, free, or cheap solutions for encrypting data, the native or third-party solutions out there work. Mobile phones and tablets are still behind in terms of offerings and support compared to laptops, but with built-in protections and offerings increasing, it is just a matter of time before they are better managed and protected in every organization. Remote wiping of lost devices should be a secondary control due to the lack of solutions and complexity that can quickly arise from supporting various platforms.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...