The veritable population explosion of smartphones is bringing a dramatic increase in the use of mobile devices for conducting all forms of business communications, including exchanging highly sensitive data. With that comes an equally compelling need to protect e-mail and other content exchanged on these ubiquitous devices.
While encryption technology to protect communications has been widely used by business operations for many years, there is an alarming dearth of encryption solutions for mobile devices. Solutions that do exist are either too complicated and difficult to manage and/or piecemeal efforts that only address specific functions or platforms.
What we are facing is a new frontier for encryption that is expected to expand at an alarming rate. RBC Capital Markets forecasts for example that by 2012, 35.1% of global handsets or 504 million units (395 million prior) will be smartphones, largely as a result of an anticipated shift to e-mail, browsing, applications, and content.
Granted, mobile security was a relatively easy task when the BlackBerry Enterprise Server was the predominant business platform of choice, because user accounts were centrally provisioned. But with the multiple devices, operating systems, networks, security measures, etc. being used today, the situation has escalated out of control. While we witness an insatiable appetite on the part of end users for more access to information and applications, IT managers are struggling to find ways to impose limits to protect sensitive data in an environment where none of those limits appear to exist.
The Risk Factor
Risk is rising on two different fronts in the mobile arena. First, the use of smartphones for business correspondence and other sensitive communications is for the most part unmonitored. This was not a concern when mobile phones were primarily used for voice and personal communications. Now however, business users are turning to their smartphones to text, e-mail, and forward files—all activities that used to be managed by desktop functions where security and authentication processes are well in hand.
In tandem with that is a significant increase in technology that can intercept mobile messaging. There are countless off-the-shelf, publicly available, free software and firmware resources for the hacking community that enable perpetrators to intercept personal information exchange, credit card numbers, or any other transmitted/stored information. It is made only that much easier for them by the vast number of publicly available unsecured wireless networks.
Even within the enterprise walls, managers are challenged by workers bringing in a wide range of unaccounted for mobile devices. This is reminiscent of the early days of wireless networks, when staff took to installing their own routers. This rogue activity undermines the traditional centralized IT management approach. If an iPad or BlackBerry is stolen for example, there’s very little an IT manager can do to safeguard that information. On top of that, credential management for mobile communications is minimal—or in some cases non-existent.
The issue definitely began taking centre stage when the iPhone and Android devices came into the picture. Android especially brings an added risk to the equation, since applications can be downloaded from any location, rather than a centrally managed app store. And we have yet to assess the full impact of the Windows Phone 7 handheld. At this point in time, it’s safe to assume that every phone is potentially a business device and therefore a danger to security and information integrity.
Find the Source
As mentioned earlier, piecemeal solutions do exist, such as remote wiping of content from lost or stolen devices, disabling services, or applying encryption tools that require complex authentication procedures. These only resolve a limited portion of the overall threat. What is needed to manage the chaos is an entirely new perspective for mobile security.
In fact, one of the best approaches is perhaps the simplest: moving applications and data to the cloud, securing it at the source, and allowing mobile devices to access it. When executed properly, this approach provides a simple, secure platform where data can be centralized and protected. In simple terms, data resides in a place where unauthorized users can’t reach it; is kept off the devices used to access it; and with the proper encryption technologies/processes in place, it can’t be read if the transmission is intercepted.
Alternatively one can store and encrypt credentials on the mobile device itself. In this approach, encrypted messages are received and continue to remain encrypted on the device. Encryption can also be applied to outgoing messages sent directly from the mobile device. If the device is lost or stolen, messages cannot be accessed by unauthorized users.
Although data encryption for mobile devices is still in its early stages, the interest in e-mail, voice, and other encryption and credential management solutions is escalating at a significant rate. IT managers are realizing that there are mobile-ready encryption/authentication options that can simplify an incredibly complex issue.
While smartphone technology has been an incredible enabler for business communications, there is no question that the proliferation in usage is outstripping a company’s ability to put the appropriate security measures in place to protect sensitive information and prevent unauthorized usage. Dedicated mobile encryption services, however, promise to have a significant impact on how managers manage an ever-growing security challenge.
Michael Ginsberg is the CEO of Echoworx Corporation.