Whole disk and file-based mobile device protection takes a back seat to evolving 'intelligent encryption' techniques
You may deny it, but we've all been there, or at least suffered through the nightmare. You're on the road for a few days, chasing down potential customers, riding in the back of yet another non-descript and slightly pungent taxi when it hits you: I have my cell phone. I have my lucky sport jacket. I don't have my laptop. I am miles away and my 80G-byte system is still sitting in that Wi-Fi-enabled Starbucks where I stopped to have that over-priced and homogenized cappuccino,
If you are lucky, the electronic hub of your business life will still be there when you rush back to reclaim it. However, the odds are better than average that your system will be long gone and your precious data in the hands of a caffeine-soaked student or worse, a competitor. Most IT managers and people in the security biz know it is not a question if such a situation will happen, but merely when it occurs. Estimates of such losses and thefts exceed 650,000 units per year, although that figure may be much higher since many companies are reluctant to air their mistakes.
It can also happen to anyone, from the lowest junior executive to the highest ranking executive. We know a CEO of a very well-known secure wireless company, for example, who left his notebook computer and its three years of
There are a number of precautions you can take to at least protect the information contained on a notebook computer should the device fall into the wrong hands. Most involve some type of file-based or full-disk encryption that basically scrambles and password-protects the data so that if an unauthorized person tries to access vital data it pretty much comes up as gibberish. Full-disk encryption tactics are the most popular, with about 80% of the enterprise market opting for this type of blanket protection. The problem with this and file-based techniques, however, is they rely on the user to specify which files to encrypt of decrypt (and usually does not protect against a user creating temporary files on a virtual desktop); or they can create problems when whole0disk encryption corrupts operating system files.
Intelligent encryption ..avoids encrypting the OS..yet it works within the confines of the operating system to protect read and write file system calls and temp files – which are the first place any hacker worth his programming license looks for vulnerable snippets of sensitive data.
A more reliable solution involves so-called 'intelligent encryption' technology, which encrypts all of the data on a system, but does not mess around with applications (which are easily replaced) and system programs (which should be left alone). This is the approach taken by Credant Technologies, Inc. ( www.credant.com), a three-and-a-half year old company which has built a respectable business providing different approaches to mobile enterprise data protection. And apparently, business have never been better as more companies opt for more flexible mobile systems to replace aging desktops and privacy regulations increasingly insist on adequate safeguards against lost or misplaced sensitive data – especially in such verticals as healthcare.
Credant actually started in the business with technologies that were based on protecting specific file folders on a user's PC, since this was and continues to be one of the more popular method of mobile data protection. Many companies still believe this is the way to go since users tend to store a lot of personal information on their mobile systems – especially smaller PDAs – and the general thinking is that not all data is sensitive or mission critical. Credant offered products based on this approach for about 18 months, says VP of marketing and company co-founder Ian Gordon. But, the company decided to move away from this technique because it relied too heavily on the end user, which as we all know is the weak link in the whole mobile chain. Also, file and folder encryption techniques fall flat when it is scaled across thousands or tens of thousands of mobile systems in a typical large corporation.
The result was the introduction a few weeks ago of Credant's Mobile Guardian Enterprise Edition, which is designed to offer centrally managed data encryption across a wide range of systems to enterprise users. Company officials claim the approach is a far more reliable alternative than full-disk encryption, which reportedly has an 8-10% failure rate during installation. Intelligent encryption also avoids encrypting the OS, which is a protection technique that routinely doubles the boot time of a device and can easily be circumvented by reinstalling the operating system; yet it works within the confines of the operating system to protect read and write file system calls and temp files – which are the first place any hacker worth his programming license looks for vulnerable snippets of sensitive data.
What we like best about the Credant solution, though, is that it takes into consideration the myriad of mobile devices that are being used out there by executives as they dash about their business. Sure, you can shackle your notebook to your wrist or perhaps by one of those proximity alarms that screech when you stray too far from your precious six-pound electronic brick. But, you are bound to lose that PDA or smart phone one of these days, which may contain a 1G-byte memory card with all sorts of sensitive information and may have more storage and performance capabilities than a three-year-old full-function laptop.
The folks at Credant realize that a lot of these small and personal devices are employee-owned, so has developed a way to control the use of these systems as they try to synchronize with the corporate data jewels. This is basically accomplished by deploying a very small agent through SMS or a Tivoli network that will effectively block that device from capturing sensitive data as dictated by corporate computing policies. If you don't input the proper passwords and authentications through your Blackberry or slick, new Palm Treo 650, then you just can't get into the system. It's that simple.
Credant based the architecture of its new system on feedback from users, as well as input from early testers of the Mobile Guardian Enterprise Edition software. One of these alpha and now beta sites is the CUNA Mutual Group, a financial services company ( www.cunamutual.com), which works primarily with credit unions and is very concerned with the use and protection of laptops and smaller devices in the field. The company is in the midst of rolling out the Credant system to about 2500 people right now. Credant claims to have about six or seven more such enterprise users and is eyeing the government market, which accounts for roughly 20-25% of its overall business right now.
We expect the government market to be a hotbed of activity for Credant and others in this field, especially as the government looks more for commercially-available solutions to security problems and pressures to protect information in the field increase under the spreading wings of Homeland Security efforts.
Tim Scannell is the president and chief analyst with Shoreline Research, a Quincy,
Mass.-based consulting company specializing in mobile and wireless technology and initiatives.
Shoreline works with end users, looking to implement mobile solutions, and vendors, developing new
products and seeking business and customer opportunities. The company also specializes in training
and strategic planning projects. For more information on Shoreline Research and the company's
strategic services please go to http://www.shorelineresearch.com.
This was first published in March 2005