Smartphone Security Beyond Lock and Wipe

Smartphones in use by company employees have changed a lot over the years -- from phones with simple repositories of contact and calendar information to 32GB multi-function devices that can connect to the corporate cloud and download huge quantities of information. The traditional gold-standard of protection for these mobile devices is lock and wipe. Locking renders the device unusable and wiping removes all data on the device and resets it to the default (out of box) configuration.


But just as mobile devices have evolved, so has mobile device security to include additional features and management options. In this piece we take a look at whether or not mobile IT staff are using lock and wipe for company phones and how the available solutions have evolved over the years.


To prioritize what matters most, Eric Maiwald, research vice president of Gartner, says the majority of companies are looking for three key capabilities on phones: "Authentication, encryption of stored data and the ability to kill it remotely." There are a few basic ways to implement these capabilities:

    Natively -- using management tools that come with the phone or from the phone provider;
    Third Party Messaging -- using management from the e-mail service, such as Exchange or GAPE;
    Third Party Management -- management tools purchased for security and policy control of mobile devices.


Third party options are overlay management tools that are installed on mobile devices to provide management and security functionality. Eric Maiwald says that the market can be broken down into broad sub-segments, tools that are "a single messaging solution for any mobile device where enterprises can create a security sandbox of safety across multiple platforms."


This allows enterprises to "see everything in the context of the application and maintain ownership over the messaging" regardless of which device the messages are on. The other option is "overall management," according to Maiwald, these solutions perform functions that help companies not only secure their mobile devices but also can, "reduce the cost of what's happening in the mobile environment," and improve service and support by "monitoring signal strength, dropped calls, and call quality" as well as to help with cost control when users are roaming.


Each approach has pros and cons and some provide more functionality or broader device support than others. The best fit will depend on the company's defined requirements for protection as well as cost considerations.


Before launching into the various options, it's worth taking a moment to note how some protections can be circumvented by attackers. Any protection that depends on a network connection can be avoided by removing the SIM card or using the phone in an area with no signal. So a thief with a smartphone that removes the SIM could still have access to the local data. A thief who nabs a phone in a coffee shop when the owner is getting their latte -- solely with the intent to resell it -- may not think twice about turning the phone on in transmit mode or whether the local data will be remotely wiped.


However, a thief that targets a particular phone specifically to get the data contained on it is much more likely to take precautions to keep the phone off the network before the desired data has been retrieved. Additional layers of security can be used to protect a device that is not on the network; these include two-factor authentication, password layering and encryption of local and removable data stores.


BlackBerry Enterprise Server: Gold Standard in Native Smartphone Security

The good news is that many phones already have some level of protection support built in. Enterprises can manage their BlackBerry deployment with the BES (BlackBerry Enterprise Server and BlackBerry Enterprise Server Express.) They can use this functionality to set controls on PINs/passwords, initiate password resets, enable lock and wipe support and enforce encryption for stored data. Maiwald calls this the "gold standard for basic device management."


Organizations using Windows Mobile phones can use Microsoft System Center Mobile Device Management (MDM) to control devices using Group Policy and Active Directory. Security features supported in MDM include authentication enforcement (passwords and in supported by the phone, two-factor), encryption of stored data -- both embedded and removable, and lock and wipe.


The not-so-good news is that proprietary management systems don't play well with others. If your mobile device environment is homogeneous to a single platform, a native solution could be the right fit. However, most organizations support a variety of different devices which would require multiple policy consoles to manage natively.


Platform usage varies by company and geographic location, but Maiwald points out that BlackBerry and Windows Mobile are well installed in the US, with Symbian being popular in the EU. iPhone adoption is growing in corporate environments and Droid is on the horizon but not yet supported in enterprise due to a lack of enterprise-ready management features.


Third Party Messaging for Mobile Security

The Microsoft Exchange ActiveSync (EAS) protocol supports push and synchronization to mobile devices. EAS can be licensed by non-Windows Mobile vendors and is supported in the iOS (operating system for iPhones and iPads), some versions of Droid, and Palm's webOS.


In February, Google announced that Premiere (GAPE) and Education apps users would be able to leverage EAS to manage security features such as password policy, device lock after inactivity, and remote wipe on iPhones, some Nokia phones, and Windows Mobile devices. Stronger security management features for Droids have been announced.


Enterprises that use Exchange either on-premise or in a hosted model can use EAS' native functionality to manage mobile devices through the Exchange console. Security features that can be managed with EAS are password policy (length and reset), device lock after inactivity, and remote wipe.


EAS is cost-effective for Exchange users and a nice add-on for Google Apps Premier and Education customers. However, not all mobile device platforms are supported yet (BlackBerry being the notable exception) and users of mail servers that do not support EAS (like Lotus) will need to look elsewhere.


Third Party Management for Smartphone Security

Players in the broader mobile management space include Good Technology (formerly Motorola, now owned by Visto), Intermec SmartSystems, Mobile Iron and Sybase (now owned by SAP) Afaria. Some mobile device management vendors, such as Sybase, leverage OMA DM in their solutions. OMA DM is a protocol for mobility management being standardized within the Open Mobile Alliance. OMA DM is similar to EAS but is open source rather than proprietary.


Mobile Iron expands basic management and security to focus on reducing carrying costs through control of roaming fees and support calls. And Sybase's Afaria brings more traditional device management into the equation with inventory control tracking and forcing backups when batteries are low.


Although options for mobile device management integrated with security controls are increasing, Maiwald points out that the "market for handheld only security management is shrinking -- TrustDigital [acquired by McAfee on May 25] is the only one. Credant continues to support mobile device security management but are also supporting laptops now."


In addition to operational functionality that extends beyond lock and wipe, password policy control, and data encryption, the third party management solutions offer very broad platform support. Most support BlackBerry, iPhone, Palm, Symbian, and Windows Mobile and have announced upcoming support for Droid.


Diana Kelley is a partner at SecurityCurve and a frequent contributor to eSecurityPlanet.com.



Blackberry, smartphone security, mobile IT, Windows Mobile, mobile security