Enforceable Encryption on Enterprise Mobile Devices

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

One way to counter spyware on your enterprise mobile devices is with enforceable encryption — software that uses encryption to obfuscate critical data residing on the device. Extensible memory on the devices, including removable storage, makes the loss of the device quite dangerous if it contains any sensitive data.

One way to mitigate this loss is to encrypt the data on those memory cards; then, if the device is lost or stolen, unauthorized users can’t use a card reader to access the memory card’s data. For the same reason, the use of strong authentication techniques should be mandatory for on-board memory as well. The various types of enforceable encryption you can use to secure your organization’s devices include:

Encrypting all outbound and inbound communication

If your goal is to protect the whole data ecosystem, you need mandatory encryption of all outbound and inbound communication — that is, all messages to and from the device. On the face of it, this is no different from the policies that are imposed on the users of laptops and desktops that connect to your network via VPNs (virtual private networks).

There is, however, one important way that mobile device encryption must differ from typical laptop encryption: Your polices must address the ever-expanding set of customized applications that mobile device users constantly download and experiment with.

Although a majority of these applications have nothing to do with you — because they don’t access any enterprise content — they do pose a problem for a potential encrypt all policy. You’d have to transport all that non-enterprise application data, dragging it into the enterprise only to redirect it back to the Internet.

All traffic encrypted and backhauled to enterprise.
All traffic encrypted and backhauled to enterprise.

Encrypting only enterprise traffic

The obvious alternative to this approach is to discern enterprise applications from non-enterprise applications and intelligently encrypt only the traffic destined for the enterprise. That’s a win-win for everyone, right? Well, not exactly. The solution requires a smart agent to reside on the mobile device and make the decision of what traffic to encrypt and what to let fly.

Enterprise-only traffic encrypted and backhauled to enterprise.
Enterprise-only traffic encrypted and backhauled to enterprise.

You have to depend on the device manufacturer and the OS vendor to supply the supported encryption algorithms, but at least it’s a mature technology. Most of these new devices offer pretty comprehensive feature support, so it shouldn’t be a problem area.