Taking Measures: Enhancing Security For Enterprise Mobile Deployments
It’s clear that mobility has taken hold across the business world, from diverse industries including oil and gas, utilities, and field service to the financial, insurance, and healthcare sectors. Moreover, today’s 24/7 business cycle depends on company infrastructures that are always up and running. Whether data is on the move—literally, via portable handhelds and across mobile broadband and WiFi networks—or at rest, securing proprietary business information is essential.
In the next few weeks, we’ll be looking at mobile security as it relates to four critical areas: Data Security, Access Privileges, Connectivity Security, and Device Security. In this first article on protecting data, we look at the security that’s inherent to mobile Operating Systems (OSes), and the effectiveness of hardware and software encryption as well as removable hard drives.
For IT, the sheer number of enterprise mobile devices that need to be managed and secured, can pose a serious challenge. While Mobile Device Management (MDM) enables IT to provision, maintain, and decommission mobile devices, encryption can more securely protect data no matter where it resides.
Mobile OS: First Line of Defense for Secure Data
While not impenetrable, current enterprise mobile handhelds exhibit a high degree of data security. That’s because software encryption in both Windows 10 IoT Mobile Enterprise and Android 5.1.1 is automatically enabled by default. Before any application writes data, it calls the module to encrypt all information. Moreover, the Android 5.1.1 OS offers the ability to encrypt memory cycling as well as create partitions between applications for further security.
In addition, device manufacturers can add another layer of security through their own software encryption or embedded technology. For example, Absolute Data Device Security (DDS) represents a form of hardware protection that can be embedded in the bios of mobile devices, including laptops and notebooks. If a device gets lost or stolen and the hard drive is wiped or replaced, the DDS agent automatically reinstalls itself to begin reporting on device status, geographical location, and recent system hardware and software change details which can aid law enforcement in recovering the lost or stolen device. This also allows the owner to deliver unequivocal confirmation that all data on the device was encrypted, encryption date (how long it was encrypted before the event), and that regardless of device loss that the data could not be compromised. This is especially useful for reporting requirements under HIPPA and CJIS in the event a device is lost.
In the case of enterprise handhelds, robust hardware security helps defend against intrusions from the outside. In general, the absence of a hard drive means information is retained in memory. As a result, data tampering on these devices is practically impossible without the correct cryptographic key. Authentication through passcodes represents another line of defense. Until the correct password is entered, all data-at-rest and applications remain encrypted. In general, strong PINs, password complexity, and auto-lock timeouts offer additional defense against unauthorized mobile data access.
Endpoint encryption administered by IT or the end user can provide additional key protections for laptops, notebooks, and removable media to prevent data leakage. These include the following:
Software Encryption: Ensuring Data Infallibility
Software encryption can be applied to any device and is relatively easy to use, upgrade, and update. Whether data is in transit or stored on different devices, software encryption provides management capabilities to ensure a reversible process so that targeted data is effectively scrambled.
One downside of software encryption is the consumption of system resources, such as memory and CPU cycles, leading to degraded mobile performance. However, the adoption of increasingly powerful chipsets (Quad-/Octo-core CPUs) has helped to diminish that concern. A reliance on MDM solutions can also significantly enhance the data protection offered by software encryption. While OSes such as Android and Windows 10 Mobile inherently encrypt data by default, they lack the means to provide central management of those controls.
Hardware Encryption: Safety First
Hardware encryption happens within the drive itself. As a self-contained process, it uses on-board security to encrypt and decrypt as necessary and doesn’t impact performance. Hardware encryption links to the unique identifier of a particular device (user, model and serial number) and offers further drive protection through hardware keys that employ robust algorithms, such as Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES).
The strong baseline protection of hardware encryption can make a device more impervious to brute force attacks. Should such a strike occur, a crypto module will shut down an entire system to keep data from being accessed.
Removable Media: Have Disk, Will Carry
In general, removable hard drives offer another effective way to protect proprietary business information. Moreover, if a device needs to be shipped for any reason, such as servicing, a drive can be removed to comply with regulatory mandates, whether in the healthcare (HIPAA), law enforcement (CJS), or financial (GLBA) sectors.
Removable hard drives also make it possible for end users to safeguard data by taking a disk with them if they must leave a laptop or notebook behind. Because it’s always possible to lose a removable disk or a flash drive, hard drive encryption offers an important option. Such solutions make it possible to encrypt data for a specific destination individual or work group.
While many companies have the goal of incorporating better security, such as encryption, they’re also confronted with how to audit its ongoing effectiveness. Such demands, as well as the expense, often impede adoption. Moreover, IT is regularly under pressure to serve a spectrum of organizational needs while consistently lacking the resources to meet those demands. However, unsecured data can have substantial business repercussions. For enterprises with a significant number of mobile end users, the lack of encryption can mean they’re taking significant unnecessary risks. Have you asked your team, are we possibly taking unnecessary risks?
In the next post in our series, we’ll look at Access Privileges on mobile device and the potential steps for more strongly securing devices to protect proprietary business information.
Panasonic Toughbook and Toughpad devices are purpose built to meet the environmental, workflow and security needs of enterprise mobility customers. Toughbook and Toughpad mobile computers include various enterprise-level security features enabling its customers to address their data security, access privileges, connectivity security and device security needs. For more information, visit the Panasonic website.