Managing Mobile Encryption
The walls are moving outward faster than ever. In the past 10 years, many
employees have gone from working in an office to working outside the office
to carrying their entire office in a shoulder bag or on a belt holster.
What this means to IT departments is that technology managers face the unenviable
task of securing more devices than ever. If your organization is moving to
encrypt its mobile data, consider the following tips to help you get the most
out of an encryption strategy.
Tip 1. Deploy comprehensive, managed security software that works on multiple
platforms.
If your IT department supports more than a handful of users, you already
know that using centrally managed software is a necessity. Encryption is no
exception. Several big-name developers offer centrally managed encryption
packages and malware protection for desktop and notebook systems, as well
as mobile devices, removable storage and attached network shares.
Keep it simple by consolidating as much as possible. It will be easier on
both your users and support staff, and one-stop solutions also come with an
implied assurance of compatibility between components.
Tip 2. Take advantage of the Trusted Platform Module.
Most desktops and notebooks feature Trusted Platform Module technology. A
TPM chip can encrypt and bind a user's hard drive to his or her system
so that it will no longer work without a valid password or security token.
TPM can also provide hardware-level authentication to other common security
tokens, such as virtual private network challenge phrases, Microsoft Windows
passwords and even Wi-Fi network keys. Because it's hardware-based,
TPM authentication is intrinsically more secure – the credentials reside
within the chipset and never enter the software layer.
Tip 3. Understand the strengths and weaknesses of full-disk versus file-level
encryption.
Considering the number of mobile devices that fall victim to theft and loss
each year, you want to employ the strongest available encryption technology.
When locking down data on hard drives in mobile devices, you essentially have
two encryption options: full-disk, which automatically encrypts everything
on the hard drive, and file, which lets users handpick what to encrypt.
Although its on-demand nature makes file-level encryption faster, full-disk
encryption means you don't have to fret about a mobile user losing a
file or a clever hacker lifting information from temporary files.
Tip 4. Enable content protection on BlackBerrys.
One easy way to encrypt sensitive BlackBerry
user data is to enable the content protection option. This can be accomplished
either through menus on the smartphone itself or through a policy setting
on the BlackBerry
Enterprise Server.
Once enabled, a user's phone will automatically encrypt any data it
deems sensitive, such as e-mail, web-browsing history and contacts. It will
prevent access to this information any time the device is locked. This safeguards
data from being recovered physically through the phone itself.
Tip 5. Don't let removable storage slip through the cracks.
Remember that sensitive data isn't always confined to local drives
on users' machines. If your group policies allow users to connect external
drives, make sure to encrypt those drives as well. Consider purchasing a centrally
managed solution that can port to removable media such as external hard drives
and thumb drives. Another cost-effective method: Buy drives with built-in
encryption and, ideally, fingerprint authentication.
