A New Approach to Mobile Encryption
Piecemeal efforts only resolve some threats while burdening IT resources. Enterprises need to take an entirely new perspective for managing mobile security.
By Michael Ginsberg, CEO, Echoworx
A significant shift has occurred on the mobile front. The prolific adoption of smartphones has dramatically increased the use of mobile devices for business communications. As the capabilities of these devices grow, we are witnessing a compelling need to address the e-mail encryption and credential management security issues outside the walls of the enterprise network.
Mobile security and authentication are especially critical but is rarely addressed because existing enterprise encryption technology and processes simply can’t be applied to mobile easily. The variety of platforms, the complexity of issuing and managing digital certificates, and the difficulties encountered in “un-encrypting” received e-mail messages and attachments have made it challenging for organizations to establish policies beyond the PC. In many cases, the rules can’t be enforced once e-mail messages make their way to mobile devices; or conversely, encrypted emails sent to a mobile device can’t be accessed conveniently.
As a result, encryption and authentication solutions for mobile devices have yet to reach any significant adoption levels even though users and their devices may be unaccounted for, applications are being downloaded at will, and sensitive information is being sent over unsecured networks.
Enterprises are facing several mobile security risks, and they will only escalate as usage grows. First, business correspondence and other sensitive communications over mobile devices is virtually unmonitored. Smartphones are used constantly by business users to text, e-mail, and forward files -- all of which happens beyond the control of the enterprise’s encryption and authentication processes.
Enterprises also face an increase in threats from the hacking community. There are countless off-the-shelf, publicly available, software and firmware resources that enable perpetrators to intercept personal information exchange, credit card numbers, or any other transmitted/stored information on mobile devices.
Even within the enterprise walls, more workers are using their own mobile devices to conduct business. This practice undermines IT management efforts because these tools are usually unaccounted for and therefore not policed. On top of that, credential management for mobile communications is, for the most part, non-existent. Today, if an iPad or BlackBerry is stolen, the sensitive or confidential information contained within it could be compromised.
When the BlackBerry Enterprise server was the predominant business platform for mobile computing, securing information traveling to and from devices was a relatively easy task because everything was centrally managed. Today, with multiple devices, operating systems, networks, and security measures, the job has become more difficult.
Once the the iPhone and Android came into the picture, the risk factor increased exponentially. The Android is a particular concern for enterprise IT managers because applications can be downloaded from any location rather than from a centrally managed app store. We have yet to fully assess the impact of the Windows phone. The only known factor that these IT managers agree upon is that every phone used today is potentially a business device and therefore a danger to security.
Until recently, managers have had to settle for measures that are complicated and difficult to manage; piecemeal efforts only addressed specific functions or platforms, such as remote “wiping” of content from lost or stolen devices, disabling services, or applying encryption tools that require complex authentication procedures. By their nature, these approaches only resolve a limited portion of the overall threat while placing a significant additional burden on IT resources.
Rather, enterprises need to take an entirely new perspective for managing mobile security. The good news is that the most effective solutions are far less complicated and far more effective than those used to date.
The key to enabling e-mail encryption on mobile is having the infrastructure and workflow to support it. This means adopting a “gateway” approach in which applications and data are moved to the cloud, where they can be secured at the source. This enables encryption rules to be applied automatically to both incoming and outgoing e-mail messages under a central management model. With a centralized approach, unauthorized users can’t reach it; data is kept off the devices in the event of loss or theft; and with the proper encryption and authentication processes, information can’t be read if intercepted.
Applying the business rules at the source is also more productive. For example, it removes the burden of mobile users having to wait to return to their desktop or place a call to the sender in order to read an encrypted e-mail message. Instead, they can send and receive encrypted messages on their devices easily and securely from any device and location.
If a centralized cloud-based approach is not feasible because of company policies or other constraints, enterprises can opt to store and encrypt credentials on the mobile device itself. In this approach, encrypted messages are received and continue to remain encrypted on the device itself rather than in a central location. Encryption can also be applied to outgoing messages sent directly from the mobile device. If the device is lost or stolen, the data contained within simply can’t be accessed.
Whatever the choice, data encryption and credential management for mobile users is rapidly becoming a number-one priority for today’s enterprise IT managers. Rather than being overwhelmed by the complexities of a growing problem and taking a piecemeal approach, the time has come for enterprise managers to leverage more effective and efficient solutions to simplify the chaos and tackle the mobile security challenge.
Michael Ginsberg is the CEO of Echoworx Corporation, best known for managed encryption services for complete enterprise e-mail and data protection. You can contact the author at firstname.lastname@example.org.