Agent-based software provides a range of options to secure at-rest data.
For this smartphone security Rolling Review installment, we logged some hands-on time with Credant Mobile Guardian, which uses agents to secure information stored on smartphones and other mobile devices.
Credant's software is worth a look if you're concerned about information disclosure in an environment that includes many types of portable devices. Credant Mobile Guardian, or CMG, agents can be deployed on a variety of portable devices (laptops and multiple smartphone OS types) and controlled by the CMG Enterprise Server management system.
CMG Enterprise Server integrates data control policies and existing user directories, and can limit access to potentially sensitive information stored on a mobile device. If a smartphone is lost or stolen and someone other than the owner tries to access it, the Credant agent software can "brick" the phone and make its contents unusable, even if it's disconnected from all networks. The device can be easily "unbricked" remotely: Support staff simply dispatch new keys to the device's key ring.
Centrally generated keys and function policies are fed to portable devices in a variety of flexible ways. Agents implement centralized policies in four categories called "shields"--access control, encryption, permissions, and usability with multiple settings within each. As shield policies change, updates are pushed. Policies can control the availability of a device's ports, including Bluetooth, Wi-Fi, and infrared. Administrators might also choose to kill the IP stack entirely, so a phone can be used for voice calls but can't move data.
Data stored on smartphones is vulnerable to loss or theft. This Rolling Review tests the vendors' ability to lock down data on a variety of devices and platforms.
Reviewed so far
Credant encrypts files individually using keys unique to the user and his or her device. Authentication to a CMG-protected device is policy-based, and the policy can be linked back to your organization's central LDAP directory (Active Directory, Novell, or Open LDAP).
Credant policies can be built in many ways. If a user forgets his PIN, he's asked for a passphrase. Failing the passphrase can lead to a list of questions asking for information only he'd know, like his favorite music group. Failing that, he's prompted to call a configurable phone number for a challenge-response session with a help desk technician, and the keys that unlock the data are suspended until unlocked by the help desk.
Because Credant only secures data at rest, other safeguards are needed to protect data in transit. Also, Credant doesn't include malware detection and firewall capabilities. The incidence of smartphone malware is limited now, but it probably won't stay that way. Credant has developed some of these controls for clients, but they don't appear to be part of the core product.
A 200-device installation costs around $80 per seat with volume discounts available. This seems comparable to similar systems, none of which is exactly cheap. But if your data is valuable, then the price is probably worth the peace of mind that only authorized people are accessing it.
Richard Dreger and Grant Moerschel writers are co-founders of WaveGard, a vendor-neutral security consulting firm.
Photo illustration by Sek Leung
CREDANT MOBILE GUARDIAN
Credant's CMG secures at-rest data on several smartphone platforms from a single management workstation.
Mobile device security policies can be mapped to existing LDAP groups. You needn't create yet another list of users.
Tight control of device "ports" gives organizations central management of devices.
Strong policies help ensure data is only re-enabled when it's in the right hands.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.