mobile encryption

Learn how encryption can protect the data on your mobile devices

By: George Mateaki
Security Analyst
CISSP, QSA
With the rise in mobile devices, it makes sense that more businesses are using mobile devices to process, store, and transmit card data. But with the rise in technology comes the rise in all sorts of security issues. One common issue is stolen or lost devices.

Say you have a tablet that has sensitive information on it, such as card data, personal information, etc. If that tablet is stolen, all that data is now in the wrong hands. So how do you secure that data? Things like physical security and mobile device policies are good at protecting the device itself, but one way to protect the data on the device is encryption.
Here’s some information on mobile encryption and how it can help your business.

What is encryption?

mobile encryptionThe idea is to protect your data from falling into the wrong hands, should someone get ahold of a
mobile device. Full disk encryption (FDE) encrypts all the data on your storage device.

Full disk encryption is basically encryption on a hardware level. It automatically converts data on a hard drive into something that can’t be deciphered without the key. Without the right authentication key, the data is inaccessible, even if a hard drive is removed and placed in another machine.

What’s nice about FDE is it’s automatic, so it requires no special action from the user other than providing a key. As data is written, it’s automatically encrypted, and as it’s read, it’s automatically decrypted.

Mobile devices like smartphones and tablets have encryption options that will also provide protection of storage. In this case, it’s not typically a disk but is still just storage that’s encrypted and accessed using some key. It’s usually just a matter of enabling the appropriate options and an extra step to provide a key.

Why should I get encryption?

If your organization deals with a lot of mobile devices that carry critical data, it’s a good idea to make sure none of that data falls into the wrong hands. Using encryption is another step to properly securing your data. Taking this extra step in security can help many organizations.

This can also protect you from liability. If a device is lost or stolen, and it was fully encrypted, organizations don’t have to report a breach.

What should I apply encryption to?

Encryption is really useful for laptops and other smaller devices that can be physically stolen/lost. This ensures that should a laptop, phone, USB, etc. is stolen or lost, the data is still secured. While it may be true that encrypting mobile devices is not required by all government or financial mandates, taking this extra step in security can help many organizations.

Basically, you should consider encryption for any mobile device that is storing sensitive data.

SEE ALSO: 5 Ways Your Mobile Device Can Get Malware

What type of encryption should I get?

encryptionThere are many different types of encryption software and tools. Some come with other security elements included. Many computers and software already come with options like full disk encryption. But the problem is this software is usually available on most devices, but many businesses don’t realize it hasn’t been implemented. Fortunately, it’s fairly easy to activate encryption on devices.

Check if your current software offers storage encryption. If not, there are plenty of tools that offer encryption.

How secure is encryption?

Keep in mind that encryption doesn’t guarantee the security of your data. Encryption keys can still be stolen. With full disk encryption, cold boot attacks can be used where keys are stolen by cold booting a machine, then dumping the contents of its memory before the data disappears. Some best practices are to secure the encryption key properly, employ a strict password policy, and limit access to these keys.

So if your business uses a lot of mobile devices, implementing encryption is a great security tool to protect your data.

Need help with data security? Talk with one of our consultants!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.


0 comments