Buyer Beware: Mobile Security Solutions Are Not All Created Equal

Since the times of Julius Caesar, cryptography has been used to hide secrets from unauthorized persons. Ancient Roman warriors used the Caesar Cipher to encode messages during battle. While this cipher is a primitive ancestor to modern cryptographic algorithms, its purpose was the same as today – to protect data from prying eyes.

Because of the growing sophistication of mobile devices currently available, enterprises have embraced a culture of mobility. However, the same growth in data capacity, computing power, and processor speeds causes cryptography to take on exponentially more importance. Roman data breaches were limited by physical constraints; a messenger simply couldn’t carry very much. How much data is vulnerable if a company laptop, phone, or tablet falls into the wrong hands?

Even more troubling is the realization that the influx of consumer-grade mobile devices has grown much faster than the corresponding security solutions. Enterprise Mobility Management (EMM) is beginning to catch up, but many early adopters were burned by their lack of mobile strategy. Now, enterprises insist that certain features are included in any viable EMM solution, and encryption is at the top of that list. Without encryption, that valuable proprietary corporate data would be exposed in a variety of ways, whether it is accessed via the web or saved locally to a hard drive. Encryption also provides the easiest method to selectively wipe corporate data in case of device loss or employee termination.

Be mindful that not all encryption is created equal. Just as the Caesar cipher would be ineffective if attacked by today’s hackers, algorithms used today vary in effectiveness. Further, any cryptographic solution must be implemented correctly to provide any real security.

The gold standard for cryptography is the Cryptographic Module Validation Program (CMVP), established by the National Institute of Standards and Technology (NIST) in conjunction with the Communications Security Establishment Canada (CSEC). This program is responsible for validating that cryptographic modules meet the Federal Information Processing Standard (FIPS) 140-2.

To confirm that a solution has a NIST certificate, the CMVP offers a public listing of validated solutions. The products that qualify have undergone rigorous testing and are approved for use in any non-classified U.S. government application.

If you are shopping for an EMM solution and it has not been FIPS 140-2 validated, more investigation is needed. Without an independent body to verify the algorithms and implementation, you should ask yourself one major question:

Why trust an encryption solution that the federal government doesn’t trust?

Originally posted to The Chief Mobility Officer blog on April 4, 2013.