Enterprise Mobile Devices and Exchange ActiveSync - dummies

Enterprise Mobile Devices and Exchange ActiveSync

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Microsoft developed Exchange ActiveSync (EAS) as a synchronization protocol for Microsoft Exchange, but it has been adapted to include more mobile device security and management functionality. EAS is a proprietary protocol developed by Microsoft that has been widely licensed and adopted by device operating system vendors, and has become a de facto standard over the past few years. Most smartphone operating systems sold today support ActiveSync.

The latest versions of EAS support a number of security policies and settings, some of which include

  • Various options for setting password policies, including password length and complexity requirements.

  • The ability to remotely lock or wipe a device.

  • Tools to wipe and/or encrypt removable media, such as SD cards.

  • Controls for whether a device that does not support all of the EAS password policies can connect to the Exchange Server.

  • Password expiration and policy refresh intervals.

  • Policies that control whether attachments can be downloaded to the endpoint device.

  • The ability to disable Wi-Fi, infrared ports, Bluetooth, and cameras.

Many enterprises implement these EAS security policies when they first allow mobile devices to access their network. Typically, the mobile devices connect directly to the e-mail server via the Internet.

Always ensure that you are using HTTPS for devices connecting to the mail server via the Internet. You must never allow direct HTTP access because HTTP is unencrypted, and you should never have sensitive corporate data transiting the Internet unencrypted. By encrypting e-mail via HTTPS, that data cannot be read, even if it gets into the wrong hands.

A question that might be on your mind is whether it is still necessary to deploy additional security mechanisms if the aforementioned EAS security policies have been put into place. The answer is a resounding yes. The EAS policies are only a small part of security best practices for deploying mobile devices.

For example, EAS allows all traffic to and from the Exchange Server to be encrypted, but it does nothing to protect traffic to and from other application servers that the user might want to access. Additionally, EAS provides no mechanism for controlling access to application stores or downloading of third-party applications, limiting your ability to control the applications that are downloaded onto your organization’s devices.

Exchange ActiveSync provides some attractive security benefits, but it is far from a complete security solution. It might be part of a layered approach to smartphone and mobile device security, but it isn’t built to stand alone and secure devices on all levels.