Heinrich Van Der Westhuizen is a technology entrepreneur with more than 17 years’ experience in IT and has managed different businesses within Europe across multiple IT disciplines. Heinrich works for Digital Defence who provide mobile defence solutions.
Secure Mobile, encrypts and protects selected data and centrally enforces security policies on mobile devices – Secure Mobile is a true enabler for Mobility.
TechNet UK invited Heinrich to provide the details of what Digital Defence is as we know that many of you are interested in your staff being able to use devices on your systems anywhere. When looking at corporate owned devices the technology provided by Digital Defence provides a potential solution when looking at security for this environment. Hear from Heinrich about this technology and how it may be applicable in your organisation.
How Secure Mobile Works
Secure Mobile provides real-time encryption of persistent data using 128 or 256 bit AES encryption employing the XTS cipher mode which has been FIPS 197 certified. This is a relatively new cipher mode for encryption specifically designed for at-rest data. Persistent data refers to any data which remains persistent after a factory reset of a handheld device (i.e. storage cards or persistent local folders such as the /application folder on Motorola devices). The encryption is seamless to the user, meaning all encrypted data is encrypted and decrypted in real-time by use of a file system filter driver. Each file is encrypted using a different encryption key to another. Each file’s encryption key is determined by data part stored in a file’s contents, part (securely) stored in the device’s registry. The encryption key data is protected by device authentication which integrates with the Microsoft LASSD system.
Encrypted data access can be restricted to specific applications to ensure unknown (or undesired) applications will never be able to access the encrypted data. This is achieved by White Listing (and Black Listing) applications from execution and encryption access. All data connection ports are protected using Secure Mobile’s Access Control module. This ensures all means of transferring data to and from the device can be restricted to only secure channels. WWAN, WLAN, and USB channels can all be White Listed to ensure only specific secure networks (or connections) are used for data transfer.
How Secure Mobile Works II (File System Driver vs. File Vault)
Strictly speaking, we are not a “File Vault”. A File Vault is a single file that appears to the user as a folder location. So the storage folder is stored internally as a single file.
Secure Mobile uses a file system filter driver. This means we intercept all file reads and writes effectively acting as a second file system driver in the Kernel.
We only encrypt storage locations that remain persistent after a clean boot (factory reset). This includes local storage areas which are flagged as persistent (or permanent). On Motorola devices this is the “\application” folder.
We do not encrypt local storage folders that are wiped after a factory reset (i.e. the “\windows” folder).
Yes our solution is system wide. In this way, Secure Mobile is independent of any applications installed. Any time an applications tries to read or write data it is automatically decrypted and encrypted without the application needing to worry about it (or even being aware of it). Of course if you Black List an application from encryption then that application cannot read and write data to the locations marked for encryption.
If Storage Cards are marked to be encrypted, then every single file on a storage card will be encrypted.
If Local Persistent folders are marked to be encrypted then every single file on local persistent folders will be encrypted.
Device Wipe with Secure Mobile
Secure Mobile provides the ability to set a security policy which will force a device wipe as a result of a "security compromise".
Secure Mobile can force a device wipe if:
- a user is locked out of the device after X failed login attempts.
- a user has not used the device for X days.
- a user has not connected the device to a pc for X days.
Secure Mobile does not currently provide the ability to immediately "Remote Wipe" a device.
Secure Mobile can be setup to keep data on storage cards during a device wipe.
A device wipe will attempt to delete every file and registry entry.
A device wipe will result in a mobile device which cannot be used due to the removal of key system files and registry entries. The result is that the device needs to be factory reset (clean boot).