May 29, 2009 (08:05 PM EDT)
Rolling Review Wrap-Up: Smartphone Security

Read the Original Article at InformationWeek

Having finished hands-on reviews of four smartphone security products, we've learned some lessons from our testing. First, the technology is there to effectively protect corporate smartphones without unduly burdening IT or killing the user experience. Second, there are notable trade-offs with every tool we tested, so it's critical to know your organization's requirements and operational capabilities in order to sift through product options and select the best fit.

Trend Micro, Credant, PGP, and Trust Digital take different approaches to protecting mobile data and provide a solid overview of what's available. During tests, we saw impressive implementations of at-rest encryption, anti-malware, central policy management, firewalls, access controls, remote wiping, and other protection mechanisms. The bottom line? There's no single, best smartphone security product that will address everyone's needs, so we didn't pick an Editor's Choice or Best Value in the assessment below. Ask these simple but essential questions:

  • Do we need encryption?
  • What brands of phones must we support?
  • Do we want single-vendor or best-of-breed gear?

Price wasn't much of a differentiator in this Rolling Review--all product suites came in close to the $10,000 to $14,000 range for a 200-seat implementation. (Volume discounts, custom pricing, features, and incentives could affect that.) All the products that we reviewed have their own relative strengths and weaknesses. Some broadly cover a wide range of security controls; others provide a richer set of options by focusing on a few core areas. Want a single-vendor comprehensive system? Consider Trend Micro's Mobile Security 5.0. Need strong, role-based encryption compliant with Federal Information Processing Standards (FIPS)? Look at Credant Mobile Guardian. Interested in protecting data in transit as well as data at rest? Give PGP Mobile a try. Are you trying to deal with a diverse and expanding fleet of iPhones, Windows Mobile, and other platforms? Trust Digital Enterprise Mobility Management may be the way to go.

Those are broad strokes, and as always, the devil is how the details apply to your company's needs. Focus on the right combination of controls that adequately protect your data and reduce risk to acceptable levels.

Of the products we reviewed, the Trend Micro Mobile Security 5.0 suite probably had the most comprehensive set of security controls for the supported smartphones. The suite can provide at-rest encryption, user-to-device authentication, anti-malware protection, firewalls, spam protection for SMS messages, and intrusion detection--all controlled from a centralized interface to allow for enterprise-wide policy enforcement. The downside is that, to really leverage this product, your organization should have deployed a fairly homogeneous set of Windows Mobile or Symbian devices.

Credant Mobile Guardian's major strength is its encryption engine, which is FIPS 140-2 validated, a feature that appeals to government customers in particular. The system provides direct control of communication ports such as Bluetooth, Wi-Fi, and infrared. On the downside, it relies on other products to provide firewalls and anti-malware functions. It also has no provisions for securing data in transit.

PGP covers data at rest and data in motion using the PGP Universal Server's asymmetric key encryption. PGP's BlackBerry product focuses on end-to-end e-mail encryption, whereas its Windows Mobile offering focuses on raw data encryption. As with Credant, PGP Mobile doesn't assist with malware or firewalls, and it also doesn't do authentication or device management. But if you need seasoned cryptography, PGP Mobile is a strong consideration.

Trust Digital's Enterprise Mobility Management takes a somewhat different course from the others, using a three-tiered approach that includes the phone, a compliance filter, and the back-end EMM server. The suite provides flexible, centralized management of diverse smartphone platforms, including Apple's iPhone. The big upside to this product is its flexible approach to managing mobile phone security. Unfortunately, not all security controls are supported on all phone platforms.

While these four smartphone security platforms present a good cross section of what's available, there are perhaps dozens of others out there. One or more will probably get you where you need to be. Just don't forget to approve the supporting security policies.

Real World Assessment Smartphone  Security
(click image for larger view)

Richard Dreger and Grant Moerschel are co-founders of WaveGard, a security consulting firm.