Protecting mobile data at rest
According to the Privacy Rights Clearinghouse, more than 216 million identity records have been breached during the past two years. Most were exposed by missing mobile devices, like the laptop with 268,000 donor records stolen from the Duluth Memorial Blood Center last week. The Ponemon Institute puts the average cost at $182 per exposed record. Do the math -- expenses incurred by a single breach could easily exceed the investment required to secure an entire mobile device fleet.
The most effective step you can take to reduce data breach risk is to encrypt the sensitive data carried by mobile devices. Encryption stops thieves from making sense of that data by scrambling it with a keyed cipher. Encrypted data can be unscrambled only by decrypting it with the same cipher and key. So long as the key remains secret – this is critical – so does the data. In fact, you may not even be required to notify customers or employees about a potential breach if you can prove that the affected records were encrypted to stop regulated data from being wrongfully acquired.
There are many ways to encrypt the data stored on mobile devices, ranging from targeted and elective to comprehensive and mandatory. Choosing a mobile encryption solution requires careful consideration, balancing the benefits, impacts and residual risk.
Doing it yourself
Many programs provide field encryption on mobile devices. For example, SplashID or Ascendo DataVault can help individuals protect themselves against personal identity theft by encrypting account names, credit card numbers, logins, passwords and other secrets. Such programs generate encrypted databases that are locked by a password known only to the owner.
This is an easy, inexpensive way to protect sensitive values on personal mobile devices and has little impact on device performance or battery life. However, the onus is on the end user to decide which values need to be entered onto the encrypted database, and nothing stops the user from storing or copying sensitive values to insecure locations.
Enforcing corporate policy
Companies that want more control while still being selective about exactly what gets encrypted should consider file/folder encryption products for mobile devices. Such products let the IT administrator establish and enforce encryption policies that are appropriate for each group or device/user.
Basic file/folder encryption solutions automatically encrypt all files written to a designated folder. This approach increases transparency but still depends on the user (and applications) to save files in expected locations. Sensitive data can leak into insecure locations by accident or policy error.
Policy-based mobile encryption products sold by vendors like Trust Digital, Credant, SafeBoot and Sybase can provide more flexible control over which files are actually protected. Depending on the product, encryption policies may be based on file type, application or ownership – for example, encrypting mail messages and attachments, independent of folder location, and permitting decryption only by Outlook.
Using embedded data encryption
Some operating systems -- Windows Vista, Mac OS X and BlackBerry OS, for example -- provide built-in encryption for some portion of data at rest. Embedded encryption features may be enabled directly by end users or administered centrally through IT-defined policies.
For example, BlackBerry handhelds have a content-protection option that encrypts stored data items whenever the device is locked. When content protection is enabled, the OS automatically encrypts a specific list of user data items, including email messages and attachments, calendar objects, memo pad notes, tasks, contacts, and the browser cache. Although administrators cannot control which user data items are encrypted, they can force content protection on and set key strength. Encryption can also be used in conjunction with policy-based data wipe to further reduce lost/stolen device risk.
Mobile workers who carry laptops have more comprehensive embedded data encryption capabilities like Windows Vista BitLocker, which protects the entire OS volume, including all operating system, page, temp, hibernation, and user files stored on that logical volume – usually the laptop's C:\ drive.
Full volume or disk encryption further increases user transparency and reduces the risk of data leakage without depending on policies to determine what's sensitive and what's not. However, it can also interfere with mobile device maintenance tools and processes (e.g., patch managers) and other boot-time programs (e.g., authentication add-ons).
Removable memory data encryption
Products such as SafeGuard PrivateDisk and AirScanner Mobile Encrypter can create encrypted "virtual drives" on Pocket PCs. Full disk encryption does not apply to handheld devices like PDAs and phones, however, because persistent storage is fundamentally different, and selective encryption helps to conserve processor and battery.
Another step to take on any type of mobile device is encryption of sensitive data stored on removable memory (e.g., SD cards, CF cards, USB drives). For example, GuardianEdge Smartphone Protection can encrypt files stored both in the device's memory and on SD cards. On laptops, USB thumb drive encryption is more often packaged as a separate product.
Encrypting removable memory can prevent users from copying the data stored in encrypted files/folders or virtual drives/volumes to locations that are not only unencrypted, but very easily lost. This step is therefore an important complement to whatever protection you apply to data at rest on the device itself.
Finding a good fit
In this tip, we have explored available options for protecting the data stored on both personal and corporate-administered mobile devices. Our examples were intended not to be exhaustive but to give you a launch point for doing your own homework. Investigate example product characteristics and try to match them to your own needs.
In the end, the best answer for you will be determined by the types of mobile devices you use, your IT infrastructure and processes, the security policy you hope to implement, and your level of risk tolerance. You might even end up with more than one solution to balance impact and risk. Whatever you do, don't put off mobile encryption until you lose a device containing sensitive or regulated data. That's the one approach that could end up costing you the most.
This was first published in December 2007