Enterprise Mobile Device Content Encryption - dummies

Enterprise Mobile Device Content Encryption

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Data encryption prevents sensitive mobile device data from being accessed without entering the mobile device owner’s passphrase or secret key. Encryption refers to the process by which vital data is made inaccessible to users who don’t know a secret phrase or password. For example, the passphrase used to lock the device could be used as a password to encrypt the data on the device.

Typically, devices are used within the workplace to access corporate e-mail, browse intranet web pages, or even access client-server applications like Oracle or SAP. In addition, the devices may also store contacts, SMS messages, or files related to work.

From a compliance perspective, encryption of the device should require such content to be encrypted before being allowed into the corporate network. Here’s a list of the types of data that should be encrypted on the device, at a minimum:

  • E-mail

  • SMS messages

  • Contacts

  • Calendar

  • SD card contents, which may include files of various types

The challenge in requiring encryption to be enabled on mobile devices is that not all devices support hardware encryption. For example, the Apple iPhones and iPads support it on devices running version 4.0 or later, but not on earlier versions. Android devices didn’t have encryption capabilities, at the time of writing.

The specific policies for data encryption will vary for different organizations, depending on each organization’s tolerance for risk and the importance of this particular form of security.

At this time, you should also decide whether to enforce your encryption policy on both personal and corporate-owned devices. Ideally, you’d want to do so, thereby ensuring that the policies are consistent for all devices in the corporate network.

However, because some devices (we’re looking at you, Android) don’t support encryption, you will need to decide whether to let some devices into your network without encryption, or enforce encryption as a policy throughout the device network, thereby denying access to some popular Android devices today.

Compliance Policies for Device Encryption
Personal Devices Corporate-Owned Devices
May be identical to the policies for corporate-owned
Encryption must be enabled for all the following data types:
e-mail, SMS messages, contacts, calendar, and SD card contents,
including videos and photos.