Managing Mobile Encryption

The walls are moving outward faster than ever. In the past 10 years, many employees have gone from working in an office to working outside the office to carrying their entire office in a shoulder bag or on a belt holster.

What this means to IT departments is that technology managers face the unenviable task of securing more devices than ever. If your organization is moving to encrypt its mobile data, consider the following tips to help you get the most out of an encryption strategy.

Tip 1. Deploy comprehensive, managed security software that works on multiple platforms.

If your IT department supports more than a handful of users, you already know that using centrally managed software is a necessity. Encryption is no exception. Several big-name developers offer centrally managed encryption packages and malware protection for desktop and notebook systems, as well as mobile devices, removable storage and attached network shares.

Keep it simple by consolidating as much as possible. It will be easier on both your users and support staff, and one-stop solutions also come with an implied assurance of compatibility between components.

Tip 2. Take advantage of the Trusted Platform Module.

Most desktops and notebooks feature Trusted Platform Module technology. A TPM chip can encrypt and bind a user’s hard drive to his or her system so that it will no longer work without a valid password or security token.

TPM can also provide hardware-level authentication to other common security tokens, such as virtual private network challenge phrases, Microsoft Windows passwords and even Wi-Fi network keys. Because it’s hardware-based, TPM authentication is intrinsically more secure — the credentials reside within the chipset and never enter the software layer.

Tip 3. Understand the strengths and weaknesses of full-disk versus file-level encryption.

Considering the number of mobile devices that fall victim to theft and loss each year, you want to employ the strongest available encryption technology. When locking down data on hard drives in mobile devices, you essentially have two encryption options: full-disk, which automatically encrypts everything on the hard drive, and file, which lets users handpick what to encrypt.

Although its on-demand nature makes file-level encryption faster, full-disk encryption means you don’t have to fret about a mobile user losing a file or a clever hacker lifting information from temporary files.

Tip 4. Enable content protection on BlackBerrys.

One easy way to encrypt sensitive BlackBerry user data is to enable the content protection option. This can be accomplished either through menus on the smartphone itself or through a policy setting on the BlackBerry Enterprise Server.

Once enabled, a user’s phone will automatically encrypt any data it deems sensitive, such as e-mail, web-browsing history and contacts. It will prevent access to this information any time the device is locked. This safeguards data from being recovered physically through the phone itself.

Tip 5. Don’t let removable storage slip through the cracks.

Remember that sensitive data isn’t always confined to local drives on users’ machines. If your group policies allow users to connect external drives, make sure to encrypt those drives as well. Consider purchasing a centrally managed solution that can port to removable media such as external hard drives and thumb drives. Another cost-effective method: Buy drives with built-in encryption and, ideally, fingerprint authentication.