For this smartphone security Rolling Review installment, we logged some hands-on time with Credant Mobile Guardian, which uses agents to secure information stored on smartphones and other mobile devices.

Credant's software is worth a look if you're concerned about information disclosure in an environment that includes many types of portable devices. Credant Mobile Guardian, or CMG, agents can be deployed on a variety of portable devices (laptops and multiple smartphone OS types) and controlled by the CMG Enterprise Server management system.

CMG Enterprise Server integrates data control policies and existing user directories, and can limit access to potentially sensitive information stored on a mobile device. If a smartphone is lost or stolen and someone other than the owner tries to access it, the Credant agent software can "brick" the phone and make its contents unusable, even if it's disconnected from all networks. The device can be easily "unbricked" remotely: Support staff simply dispatch new keys to the device's key ring.

Centrally generated keys and function policies are fed to portable devices in a variety of flexible ways. Agents implement centralized policies in four categories called "shields"--access control, encryption, permissions, and usability with multiple settings within each. As shield policies change, updates are pushed. Policies can control the availability of a device's ports, including Bluetooth, Wi-Fi, and infrared. Administrators might also choose to kill the IP stack entirely, so a phone can be used for voice calls but can't move data.

Credant encrypts files individually using keys unique to the user and his or her device. Authentication to a CMG-protected device is policy-based, and the policy can be linked back to your organization's central LDAP directory (Active Directory, Novell, or Open LDAP).

Credant policies can be built in many ways. If a user forgets his PIN, he's asked for a passphrase. Failing the passphrase can lead to a list of questions asking for information only he'd know, like his favorite music group. Failing that, he's prompted to call a configurable phone number for a challenge-response session with a help desk technician, and the keys that unlock the data are suspended until unlocked by the help desk.

Because Credant only secures data at rest, other safeguards are needed to protect data in transit. Also, Credant doesn't include malware detection and firewall capabilities. The incidence of smartphone malware is limited now, but it probably won't stay that way. Credant has developed some of these controls for clients, but they don't appear to be part of the core product.

A 200-device installation costs around $80 per seat with volume discounts available. This seems comparable to similar systems, none of which is exactly cheap. But if your data is valuable, then the price is probably worth the peace of mind that only authorized people are accessing it.

Richard Dreger and Grant Moerschel writers are co-founders of WaveGard, a vendor-neutral security consulting firm.

Photo illustration by Sek Leung