Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Managing Encrypted Android Devices In State and Local Gov't?

timothy posted more than 2 years ago | from the better-to-city-council-corruption dept.

Android 138

An anonymous reader writes "I am a systems administrator for a mid size state agency. We currently offer Blackberries to our staff, but we are migrating to Android devices in the near future. Since phones have sensative data (email, documents, etc.), what is a good choice for encrypting that data? Options abound, like OS-level encryption from Motorola and Samsung, 3rd party apps from GoTrusted and even a LUKS port for Android. Does anyone have experience managing encrypted Android devices? What are the important features I should be looking at? Many thanks in advance." (And, for that matter, are there good options for doing the same with iPhones? Other options to consider?)

cancel ×

138 comments

Sorry! There are no comments related to the filter you selected.

state agency will take the best deal not the best (1, Offtopic)

Joe_Dragon (2206452) | more than 2 years ago | (#40630919)

state agency will take the best deal not the best for IT.

Re:state agency will take the best deal not the be (2)

masternerdguy (2468142) | more than 2 years ago | (#40630973)

No, the US government actually takes computer security pretty damn seriously.

Re:state agency will take the best deal not the be (1)

Picass0 (147474) | more than 2 years ago | (#40631079)

It's not a federal agency. OP said it was a "mid-sized state agency".

Re:state agency will take the best deal not the be (1)

Joe_Dragon (2206452) | more than 2 years ago | (#40631139)

well take the security software that locks stuff down to much and is a pain to work with.

Re:state agency will take the best deal not the be (1)

nurb432 (527695) | more than 2 years ago | (#40631159)

Not always. Some states do worry about technical merit.

Re:state agency will take the best deal not the be (3, Insightful)

dsvick (987919) | more than 2 years ago | (#40631667)

I would think that the fact the OP is taking to the time to ask the question and even went so far as to ask for help with things he realizes he might not even know enough to ask is pretty good evidence that they are taking security seriously. Granted, he probably has to get it approved if it a pad app, but the cost of that should be pretty small compared to the cost of the phones themselves.

Don't encrypt (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40630939)

If the state isn't doing anything wrong, it doesn't have anything to hide.

Re:Don't encrypt (1)

DerUberTroll (2676259) | more than 2 years ago | (#40630999)

ULTRA LOL :-) It's overhead anyway and requires too much processing power.

Re:Don't encrypt (1)

kurt555gs (309278) | more than 2 years ago | (#40631003)

I wish I had Mod points for this one.

Re:Don't encrypt (5, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#40631059)

It doesn't just have to do with hiding immoral actions (btw we don't even know what agency he works for -- he could be fracking parks and recreations), it also prevents tampering.

I encrypt the disks on my computers not to hide anything, I will gladly decrypt my disk for the FBI if they ever asked, but to prevent outside tampering. Without encryption, an adversary can just load up a linux live cd and tamper with anything they want with root access. By encrypting the entire disk I can prevent that sort of tampering. They can still boot a live cd, but they can't tamper with the installed operating system or the data.

Besides, there is a metric ton of personal information on any smart phone. How would you like Joe the Laptop Thief to get access to your Google account, or possibly even login information for your online banking?

Re:Don't encrypt (0)

Anonymous Coward | more than 2 years ago | (#40631163)

*woosh*

Re:Don't encrypt (-1)

Anonymous Coward | more than 2 years ago | (#40631171)

No, not a woosh. The OP made a stupid remark intended to bait all the anti-gov anarchists.

Re:Don't encrypt (-1)

Anonymous Coward | more than 2 years ago | (#40631199)

STFU you little faggot.

Re:Don't encrypt (0)

Anonymous Coward | more than 2 years ago | (#40633003)

STFU you little faggot.

Thanks for your valuable input to this discussion. To honour you and the merits of your post, all subsequent posts from the same IP will be redirected to the venerable /dev/null Hall of Fame.

Re:Don't encrypt (1)

Anonymous Coward | more than 2 years ago | (#40631235)

No, the OP is using an argument that the government often uses against it's citizens to gain access to encrypted/private information. He is pointing out the irony by humorously turning the statement back at the government. You can be for government and still see that there needs to be limits on privacy invasion.

Re:Don't encrypt (-1)

Anonymous Coward | more than 2 years ago | (#40632609)

You can be for government and still see that there needs to be limits on privacy invasion.

Not really.

I LIKE the idea of government taking over all the responsibility of running every detail of my life and my thinking. That way, I can simply "coast" through life and not have to struggle or compete, just do as I'm told, and then party as hard as I can and screw as many women as I can before I die, no different than anyone else in my class, no richer, no poorer, and no decisions to make or failures to take responsibility for.

That "freedom" bullshit is way too much work and far too dangerous. Just keep your head down and your mouth shut, don't cause trouble, take whatever you can get however you can get it, and get by.

Re:Don't encrypt (2)

roc97007 (608802) | more than 2 years ago | (#40631173)

> he could be fracking parks and recreations

Gee thanks. It'll take a long time to get that mental image out of my head.

Re:Don't encrypt (3, Funny)

aristotle-dude (626586) | more than 2 years ago | (#40631579)

> he could be fracking parks and recreations

Gee thanks. It'll take a long time to get that mental image out of my head.

No doubt, they should not allow exploration for natural gas deposits inside of parks.

Re:Don't encrypt (1)

MyFirstNameIsPaul (1552283) | more than 2 years ago | (#40631369)

If you truly believe the FBI is working for the greater good of humanity, then please read Classified Woman [amazon.com] by whistle-blower Sibel Edmonds for an inside look at how they 'get business done.'

Re:Don't encrypt (3, Insightful)

Calos (2281322) | more than 2 years ago | (#40631391)

Sorry, but no, not everything the government has should be open for anyone to obtain and peruse. Take this [computerweekly.com] as an example, or several other blunders made by the UK government or its contractors. This [btlj.org] has some data and discussion on the US. Personally, I'm more concerned with the general lack of responsibility for these kind of breaches in both the public and the private sector.

Don't get me wrong, I agree with your ideal. But ideals can rarely if ever become reality. And they're not always the blessing that they would seem to be.

Re:Don't encrypt (5, Insightful)

Last_Available_Usern (756093) | more than 2 years ago | (#40631423)

What about personally identifiable information? Should SSN's be flying around unencrypted? Just because encryption is used to conceal wrongdoing doesn't mean it's always used for that purpose.

Re:Don't encrypt (1)

kevmeister (979231) | more than 2 years ago | (#40632549)

Federal regulation require full disk encryption for any portable disk containing PII. HIPPA (medical) information has even stronger requirements than PII. I assume many state and local government have similar requirements (and should have).

BTW, I think the Anonymous Coward who posted the initial comment was expecting a rating of "Funny". At least it looked tongue in cheek to me.

Re:Don't encrypt (0)

Anonymous Coward | more than 2 years ago | (#40631891)

If the state isn't doing anything wrong, it doesn't have anything to hide.

You know, if my state processes my income tax data, I'd like that to be private.

If my state processes my health insurance data, I'd like that to be private too.

Many governments have been hiding far too much, but it is reasonable to expect that some information is kept confidential.

Re:Don't encrypt (0)

Anonymous Coward | more than 2 years ago | (#40631937)

I have a city government as a client that where an administrator kept asking us to send files containing social security numbers, names, dates of birth, and other information for city employees unencrypted because having email contents encrypted violated their open access laws.

Don't worry, we didn't actually do what they said. We just said that our policy is to protect all personal information we handle and that they really need to discuss the issue with their legal counsel since we are highly skeptical that the law has to be applied that way and isn't preempted by any federal legislation.

Re:Don't encrypt (0)

Anonymous Coward | more than 2 years ago | (#40632227)

If the state isn't doing anything wrong, it doesn't have anything to hide.

Says the AC

iPhone (3, Informative)

masternerdguy (2468142) | more than 2 years ago | (#40630957)

Considering that any meaningful encryption (I will assume you want some sort of volume group/full disk encryption) will require root access and probably a custom kernel module, you will need android. Personally I would download the source code and hack it myself, add in the encryption and other features I want, and then flash the modified ROM onto a device of choice. You can't do that on an iPhone. It worked for SELinux.

Re:iPhone (5, Informative)

bz386 (1424109) | more than 2 years ago | (#40631027)

Android has builtin encryption starting with ICS.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631615)

.... and the encryption (and device password policy) are enforcable through Mobile Device Management (e.g.: MobileIron)

Re:iPhone (-1)

Anonymous Coward | more than 2 years ago | (#40631035)

iPhone is better for this stuff. but since you want android. You cant use the parent's method as thats unrealistic with different devices and support staff requirements. Building custom OS for Android is cute for a few phones but wont work on a large scale. Look at Mobile Iron. Some of the latest samsung stuff has SamsungDM, which is an enterprise management feature. Your best bet is iPhone with Apple MDM.

Re:iPhone (0, Insightful)

Anonymous Coward | more than 2 years ago | (#40631291)

iPhone is better for this stuff. but since you want android.

Spoken like a true iTard who has no idea what he's talking about. Android version 4.0 and above supports full disk encryption using AES you fucking tool.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40632965)

Spoken like a true...well, ignoramus. http://ask.slashdot.org/comments.pl?sid=2975157&cid=40631807 [slashdot.org] Best know your shit before you jump on someone else's.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40632993)

Oh, and this one...http://ask.slashdot.org/comments.pl?sid=2975157&cid=40631975

Re:iPhone (4, Insightful)

jmorris42 (1458) | more than 2 years ago | (#40631097)

Nice propeller spinning but forget all that crap and lets get real.

If you want to enforce privacy of information you do two simple things.

YOU DON"T F*CKING ALLOW IT TO WALK OUT THE FRONT DOOR.

YOU DON"T ALLOW IT TO BE MOVED TO DEVICES OUTSIDE OF YOUR DIRECT CONTROL.

So just say no to BYOD, let em screech and bitch all they want. Tell em straight up, if your can't work without your precious iPad then go find an employer who doesn't need to deal with laws enforcing privacy. And good luck with that in this crappy economy. Just say no to portable devices, period, unless there is a truly compelling need. Data collection and off site archiving come to mind.

Otherwise admit you really don't care about privacy at all and get on with it and, again, you don't need to spend a lot of money on tech that won't actually work when it comes to crunch time with end user idiots.

Re:iPhone (2)

gweihir (88907) | more than 2 years ago | (#40631151)

While I agree that BYOD is a nightmare security wise, you seem to be unaware that technology cannot really protect against insiders. So let me add:

YOU DON'T ALLOW ANYBODY TO WORK WITH IT OR LOOK AT IT.

That is where the "lock everything down" approach fails and things like data leakage prevention look just as ridiculous as they are.

Re:iPhone (1)

jmorris42 (1458) | more than 2 years ago | (#40631267)

> YOU DON'T ALLOW ANYBODY TO WORK WITH IT OR LOOK AT IT.

No, you have to assume your own people are somewhat safe, at least at the level of access you grant each one. Although you also have audit trails of who accesses/changes what to keep everyone honest.

But the second it leaves the front door you aren't trusting the user anymore, you are trusting the user to be able to retain possession in a hostile environment. Or you are trusting them to actually use the secure features correctly. Do you deal with end users? It only takes ONE to screw up.

BYOD fails before you even start, the premise is broken. I'm expected to secure a device I don't own or even have ultimate control of? Eh? And if the user was skilled enough to do all that stuff, or even understand why circumventing the security policy is a bad idea, he/she would probably be working in IT.

You might make it work somewhat if you only allow web apps or similar remote viewing access with no information ever stored on the uncontrolled device but even that has problems. Security access tokens vulnerable, screen caps, cut/paste, etc.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631911)

But the second it leaves the front door you aren't trusting the user anymore, you are trusting the user

o_0

Re:iPhone (2, Insightful)

rogueippacket (1977626) | more than 2 years ago | (#40631179)

Please, I would like to see you say those exact words to your CxO when they come and ask you for help with activating their brand new iPhone/Android/Tablet. You're just going to make my job easier when I sell them a BYOD solution without your consent.
BYOD is here to stay whether you want to support it or not.

Re:iPhone (2)

jmorris42 (1458) | more than 2 years ago | (#40631299)

Translation: Security/privacy is just a joke. We will waste a little tax money on security theater and fattening up a preferred vendor but we really don't care. Give me the shiny toy.

Re:iPhone (2)

gorzek (647352) | more than 2 years ago | (#40631739)

When a C-level executive says they want something, do you really think a rank-and-file IT worker, or even the IT manager, is going to get to tell them "no"?

Re:iPhone (1, Interesting)

stewbacca (1033764) | more than 2 years ago | (#40631395)

I changed jobs last year. I used to work on government contracts and we weren't even allowed to take thumb drives or laptops out of the building. Wasteful and inefficient for very little security returns (with nothing in place to keep me from just forwarding the stuff to my gmail account, and then working on it from home, something everyone did, btw).

Now I work in a place that is BYOD. We have NO security problems like the old place. Not because BYOD is more secure, but because when you surround yourself with a security circus, all the IT power-mongers make EVERYTHING a security priority and you get a security circus. Allowing BYOD is the first step for the IT dorks to realize that not everything has to be locked down tight just because it is your job to do so.

Re:iPhone (2)

jmorris42 (1458) | more than 2 years ago | (#40631949)

> just forwarding the stuff to my gmail account

Translation: I didn't give a shit about security and worked around it for my convience. I didn't give two rats asses if I passed private information through totally unsecured servers at Google and anyone at Google with legit (or not) access to the servers with that data on them. I passed information I was obligated to protect the privacy of right through who knows how many unsecured pathways between work, google and home. I managed to leave before getting fired when a major scandal broke in the newspapers and now work somewhere where everybody does this sort of crap out in the open so I no longer even worry about it.

You are the reason privacy breaches happen. Which was what I was getting at in my first post, make up your mind whether you actually give a crap about privacy/security/etc or not. Then follow Yoda's advice. And sometimes forgetting about it might be the better call, a lot of stuff gets locked down for little real reason. And some stuff really should be kept private.

Re:iPhone (4, Insightful)

rhsanborn (773855) | more than 2 years ago | (#40631307)

This is why IT people have such a bad reputation. Yes, portable devices are a security risk. Our job, as IT professionals, is to come up with solutions. On the same bent, I suppose you'd also cut the link to the Internet. Wait, you obviously haven't, because you're posting on Slashdot. But you came up with clever ways to protect your system from the Internet? Then why don't you start working on coming up with ways to secure mobile devices.

The obstructionism is well intentioned, but we have an obligation to try to support the needs of the business. Staff are more mobile, and the business is benefiting by having people more connected and better able to make decisions, even when they aren't sitting in front of a PC. So, let's make it secure.

Re:iPhone (1)

jmorris42 (1458) | more than 2 years ago | (#40631529)

This isn't a tech problem. Therefore it can't be solved with tech. You don't allow information that you are obligated to protect the privacy of leave your control. Doesn't matter if it is android, a laptop or a briefcase full of files. The other option is roll the dice and hope you aren't there when the press show up to cover the breach. Choose. And if your boss insists you do it anyway make the sum-bitch put the order in writing so your butt is covered when the poop hits the fan. Because sooner or later... BOOM!

Staff should not be mobile with private information unless absolutely required to do their job and the number of those people haven't changed a lot. Field work is still field work and office is still the office. And the solutions haven't changed a lot either. Avoid copying more information to a portable device than absolutely required to do the job. And with today's connectivity live connection to a remote app is usually the way to go. Only at the edges can tech play a role. Design it right, control it right and you won't get bit in the ass when (not if) the crypto and other fancy tech fails in the hands of end users.

Re:iPhone (2)

devforhire (2658537) | more than 2 years ago | (#40631841)

I think you are correct with everything you said, but you're missing the most fundamental part of security as it's mostly practiced in the real world (there are some places where security is really taken seriously but they are extremely few.) The only thing that is important is the illusion of an extremely secure system. Most normal human beings would never tolerate any truly secure system as it would be too inconvenient to use.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631985)

Fantasy, there are serious rules and regulation around this, and this kind of problem is solved by folks like IBM and senior level decision makers, not sys admins asking questions on Slashdot. Unreal.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40632069)

You don't have to be that extreme if nothing is cached on the device and everything is accessed remotely each time it's viewed.

Wrong: iPhone is encrypted by default... (2)

nweaver (113078) | more than 2 years ago | (#40631105)

And in fact its non-disableable. The remote wipe is, in fact, "kill key store".

Apple's propaganda, err, whitepaper on the subject [slashdot.org]

Err, proper propaganda link... (2)

nweaver (113078) | more than 2 years ago | (#40631229)

Proper propaganda link [apple.com] , silly me, forgot the http

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631125)

Posting as AC @ work

AirWatch is the solution that my company is going up with to manage iOS devices as the new corporate standard, replacing Blackberry. It was recently selected as the tool to manage several thousand devices.

Android was a consideration but was not chosen due to security/malware concerns.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631233)

Android was a consideration but was not chosen due to security/malware concerns.

You are worried about malware so you chose a platform whose primary method of "jailbreaking" is surfing to a particular fucking webpage? Whoever made that call should be fired and summarily executed for stupidity.

Re:iPhone (0)

nweaver (113078) | more than 2 years ago | (#40631505)

Any remote p0wn jailbreaks get squished very quickly by Apple. They really really don't like p0wn the phone attacks.

This is in strong contrast to Android, which has a great security model, but that security model is trivially bypassed when a user says "OK" to an incomprehensible permissions list provided by a random application that displays cartoon kitties or tells you what color of nail polish works best.

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631657)

user says "OK" to an incomprehensible permissions list

"This app uses the internet"

"This app can access your contacts"

"Incomprehensible"? Really? Are you just that stupid?

Re:iPhone (0)

Anonymous Coward | more than 2 years ago | (#40631817)

The list is hardly incomprehensible and that is not "bypassing" the Android security model. It is the Android security model working as intended in that you, the user, are entitled to and required to decide if the function performed by an application does indeed require (or merit, in the case of ads requesting your location) the permissions that it requests.

Re:iPhone (4, Informative)

Yaztromo (655250) | more than 2 years ago | (#40631807)

Considering that any meaningful encryption (I will assume you want some sort of volume group/full disk encryption) will require root access and probably a custom kernel module, you will need android.

iOS devices have AES 256 encryption baked right into the hardware inside the DMA path between flash storage and the main system memory. It's always enabled, and can't be disabled by users, administrators, or anyone else [apple.com] . No custom kernel modules required -- XNU already has built-in AES 256 support, and the platform already implements it for each and every device.

Yaz

BlackBerry = Security (0)

Anonymous Coward | more than 2 years ago | (#40630961)

I'd stick with BlackBerry if you want security...

Re:BlackBerry = Security (3, Interesting)

snowraver1 (1052510) | more than 2 years ago | (#40630977)

Has anyone here tried blackberry mobile fusion? Is it good?

Re:BlackBerry = Security (1)

kuhnto (1904624) | more than 2 years ago | (#40631553)

I had it the other day mixed with bananas, Strawberries, Herbal Nutrient Blend, Soy Protein, Turbinado and Honey. Best Smoothie ever!

Android Supports encription (1)

Anonymous Coward | more than 2 years ago | (#40630975)

http://support.google.com/ics/nexus/bin/answer.py?hl=en&answer=2381815

Use Apple. (4, Funny)

Anonymous Coward | more than 2 years ago | (#40630983)

Their phones don't offer any enterprise-level collaboration features whatsoever. No features, no security risk!

technology should fit the budget and user level (0)

Anonymous Coward | more than 2 years ago | (#40630987)

pagers and pay phones are the way to go for state communications.

Built In Encryption (0)

Anonymous Coward | more than 2 years ago | (#40631005)

Android 4.0 and later devices all have options for full-disk 128-bit AES encryption built into the OS.

iPhones are encrypted by default (0)

Anonymous Coward | more than 2 years ago | (#40631055)

I can't speak to android, but iPhones have whole device encryption enabled as standard. For security you would just need to enforce use of passcodes.

Apple has a pretty great resource on ios security at: http://www.apple.com/iphone/business/integration/ Specifically the PDF under the heading "works with your work".

Re:iPhones are encrypted by default (0)

Anonymous Coward | more than 2 years ago | (#40631261)

I can't speak to android, but iPhones have whole device encryption enabled as standard.

Android has full AES encryption as one checkbox away on version 4.0.

Re:iPhones are encrypted by default (1)

thegoldenear (323630) | more than 2 years ago | (#40632477)

Settings -> Security:
- Encrypt device
- Encrypt SD Card

If they're going to have Active Sync... (4, Informative)

nighthawk243 (2557486) | more than 2 years ago | (#40631057)

If you're using active sync, you can make it part of the sync policy to wipe the phone when it is marked lost. We do that quite a bit.

Sandbox Application (3, Interesting)

rogueippacket (1977626) | more than 2 years ago | (#40631065)

Try something like Good for Enterprise - allow your employees to bring their own devices (this is the trend, don't try to dodge it) if they wish, and just provide them with an activation key for the application. The days of "work device" and "personal device" are over - users will use one device for both, and issuing a crippled device which only performs one of these tasks is quite draconian. The sandboxed application ensures all critical information is secure, while giving your employees the segregation between life and work they desire.

Re:Sandbox Application (1)

Andy Dodd (701) | more than 2 years ago | (#40631135)

Yeah. "Sandbox" apps like this will be received better by employees. If you try OS-level encryption with policy enforcements (such as Exchange policy enforcements), users will find ways to bypass the policy enforcements that get in the way of "normal personal operations" and this will also kill the security of the things you want to keep secure.

Sandboxes like Good for Enterprise don't annoy users when they are engaged in personal use, so they are far less likely to disable security measures.

Re:Sandbox Application (0)

Anonymous Coward | more than 2 years ago | (#40631149)

despite this ridiculous trend of BYOD - go for a policy of web apps, nothing stored locally and Hardware Tokens (or 1 time 'perma cookie') + regular pass for authentication

Seperation of use (1)

nurb432 (527695) | more than 2 years ago | (#40631185)

Id prefer to have 2 devices over the 'boss' having access to mine, in ANY manner. ( even active sync which gives them far too much control over MY device )

Re:Sandbox Application (2)

gweihir (88907) | more than 2 years ago | (#40631187)

Stay away from that trash. I recently attended a presentation on "Good for Enterprise" intended for professionals and it was just pathetic. Some friends, who are not security experts, began poking holes in the statements made in real-time, because the fatal flaws were obvious even to them.

Re:Sandbox Application (1)

businessnerd (1009815) | more than 2 years ago | (#40631193)

I will second this option. My company uses Good for Enterprise on both Android and iPhone. The nice thing about it is that it is YOUR phone that happens to have a an app on it to access your work e-mail, calendar and contacts. You can view attachments, but not download them to the actual device. The app itself is password protected so you can choose your own level of security for the rest of your phone. The only bad part is that, well, naming an app "Good" will always result in it being bad. The interface is a bit clunky (GMail app, blackberry mail, etc. are all much more enjoyable to use) and I often have the issue of it not syncing regularly when i'm on WiFi (for some reason it's much more reliable on even a week mobile data connection). Additionally, the app will not install on a rooted or jailbroken phone (for security reasons). The geek in me wants to root my phone, but the other part of me that needs a fully functioning and reliable smartphone is happy limits were put in place. But despite the downsides, it does what I need it to do and it's liveable. The company is happy that their data is encrypted and sandboxed from the rest of the phone. I'm happy that I can do what I want with MY phone and don't have to worry about some rogue app messing with work data. The only

Re:Sandbox Application (0)

Anonymous Coward | more than 2 years ago | (#40631253)

We use Good and I have a rooted phone. It's an option they turn on to not allow this (because Good is probably less secure on a rooted device.)

Use Good - from Good Technology (0)

Anonymous Coward | more than 2 years ago | (#40631067)

Use Good from Good Technology (www.good.com). If you are familiar with Blackberry Enterprise Server, its a very similar system but works for Android, iPhone and Windows mobile devices. Once you set up the server infrastructure and licenses (its a pay product like BES) you or your end users just install the free app from the Play Store/App Store/etc and then provide their email address and the activation code (very similar to BES) and boom. It creates an encrypted partition where all the contacts, and company email are stored. User must input password to access the app. It keeps their personal and company data separate. The phone can get stolen and they will only lose their personal data not company/government, unless of course they use a password like 1234.

Hardware encryption / acceleration chip (0)

Anonymous Coward | more than 2 years ago | (#40631093)

anyone doing an android phone with this on board that can be used to reduce overhead with things like file / volume encryption and network / vpn

use android 4 and meraki.com's free MDM (0)

Anonymous Coward | more than 2 years ago | (#40631165)

Meraki provides a nice mobile device management system, has recently added android support, is cloud based, and best of all is free (a loss leader). Remote wipe and other features are there too.

Droid Encryption (1)

Anonymous Coward | more than 2 years ago | (#40631231)

We use Google Apps builtin in encryption and mobile device management. http://support.google.com/a/bin/answer.py?hl=en&answer=1734200 Works great. Free too.

Touchdown or Good (0)

Anonymous Coward | more than 2 years ago | (#40631241)

Those are the best options--you have to pay for them, but provide the best Exchange compatible option.

Re:Touchdown or Good (1)

mlts (1038732) | more than 2 years ago | (#40631725)

That is exactly my suggestion, although I'd not bother with Good and just use Nitrodesk's Touchdown.

This allows IT to keep all their Exchange data separated from the data of the phone. This also benefits the user because a remote wipe only will destroy that app's data, and not erase the phone.

Touchdown is not perfect -- it has some user interface quirks, and only works with one Exchange account, but it does a decent job.

Another good Exchange program is RoadSync. I use this so I can get functionality that I don't get with the Android OS, such as flagging messages, setting tasks, etc.

Not crap (1)

Anonymous Coward | more than 2 years ago | (#40631305)

Blackberry was your best bet for security. All the others are spyable from the US government by their own admission. Blackberry was the one carried by all those in the know, outside of the us. They had stopped the production of the old style berries at the request of some-one not listed. But the house of saud wass involved about 5 years ago.
All of the current units, the programing can be hacked, reported by the security magazines, for the last three years. Dont trust a one of them. If your company-state-government has to have mobile e-mail make them carry a portable stick,a card that is encrypted with/for them. that card when added to their unit, will now display the encrypted communications they have recieved. Do their e-mail as a crypted illustration as a captia, you know looking like garbage, but readable by the stick. But a nice simple way is to get pgp. Set up a key on the stick for the person, and a reader for translation.

Android Communication Encryption (0)

Anonymous Coward | more than 2 years ago | (#40631323)

If you are looking for secure wireless communication and storage that can be used on off the shelf mobile devices, I would suggest looking into Apriva. They have a communication suite that was designed for that purpose. This might be a reasonable option for a agency to utilize (not really for an individual consumer though). Hope this helps.

You have no security. (3, Insightful)

Animats (122034) | more than 2 years ago | (#40631343)

Assume that your carrier, cloud provider, and handset manufacturer all have access to everything on the phone.

With Blackberry, you could run your own server, and nothing in the public infrastructure had access to unencrypted data. With Android, Google has a direct tap into your data. Encryption won't help when the layer that reads the keys is under the control of the provider.

Re:You have no security. (0)

Anonymous Coward | more than 2 years ago | (#40631731)

So the demise of RIM is coincident with the rise of Homeland Security! Cool.

Fed govt customer (0)

Anonymous Coward | more than 2 years ago | (#40631447)

We use Maas360 at DOI ans so far, so good.. http://www.maas360.com/

Hardware-grade encryption (0)

Anonymous Coward | more than 2 years ago | (#40631493)

You may give TrustChip a shot (www.koolspan.com).

Try a Few Managing Systems (0)

Anonymous Coward | more than 2 years ago | (#40631519)

https://aerstone.com/government-mobile-device-integration/ Basically has every suggestion that may help you

Enterproid's Divide (1)

noah_fense (593142) | more than 2 years ago | (#40631577)

NYC startup enterproid has a product call Divide that you should check out: http://www.divide.com/ [divide.com]

No iphone solution, but I'm sure it is next on your list.

VMware Horizon App (1)

bnyrbl (1014257) | more than 2 years ago | (#40631607)

This requires certain models of phone with the hypervisor loaded by the manufacturer, but creates two partitions on your phone, one like the blackberry (encrypted, remote wipeable, secure, app streaming, no access to add user apps but system can administer global apps in the work partition), and the other a personal android phone. Even has separate work and personal phone number identities. Just swipe the screen back and forth, and you switch between personal and work spaces. http://www.vmware.com/products/mobile/overview.html [vmware.com]

mobile management choices (0)

Anonymous Coward | more than 2 years ago | (#40631687)

It really seems like your choices are Activesync, Blackberry server, or Good Mobile for Enterprise. We recently migrated from BB, and needed to setup a different secure mobile management solution that could handle Iphone and Android devices. Good was pretty much the only logical alternative. Works well for Exchange integration, syncing, app management, and security. Lost devices can be wiped, updates can be approved, and setup of new devices is painless. All major carriers support the system, and users are provided with a whatever choice in OS.

Server sits inside the network, communicates with only the Good NOC, and doesn't require any additional firewall rules. Similar to BB servers.

Good luck!

Plethora of MDM. Find your fit. (1)

HideyoshiJP (1392619) | more than 2 years ago | (#40631823)

There are plenty MDM solutions out there. I am quite happy with AirWatch (Gartner Magic Quadrant 2012), though I was impressed with Good Technologies. AirWatch was cheaper, but was not sandboxed. Most Android devices will also require the Touchdown client ($15-20 per license) for the deployment of email profiles unless you're only supporting devices with OEM MDM extensions. You'll find a lot of MDM solutions require Touchdown, which definitely has quirks end-users will notice. Biggest things: Make sure you find the product that fits your budget (naturally) Take your corporate culture into mind when looking at a solution. Are they going to be totally baffled when their email disappears because their PIN doesn't meet requirements? Do plenty of testing with actual devices. If you need device-level encryption, target 3.0 devices. Be wary of products that feel kludgy. Some vendors have tacked 3LM pieces onto their existing iOS management.

BoxTone and BES (0)

Anonymous Coward | more than 2 years ago | (#40631933)

We use a combination of BoxTone and BES to manage our Android, Blackberry and IOS devices. I would recommend it as a solution.

iOS has encryption and management built-in (4, Informative)

plsuh (129598) | more than 2 years ago | (#40631975)

I'm a former Apple engineer, current independent consultant, so I'm not going to address the Android side. That's a lot more complicated -- I'll stick with talking about the iOS info that I know about.

That said, wow, there's a lot of snarky comments but not a lot of information posted.

iOS has full-device hardware encryption built-in on the iPhone 3GS and later, activated as soon as you set up a passcode. This top-level encryption layer is for quick device wipes, not for data protection. Each user data file is then encrypted on top of that using its own unique key, then set into a protection class by the app developer:

  - Complete Protection - decrypted only when the device is unlocked; file key is removed from memory when the device is locked.

  - Protected Unless Open - decrypted when the device is unlocked; if file is open when the device locks, the file stays open/decrypted.

  - Protected Until First User Authentication - decrypted on first unlock, stays decrypted until reboot

  - No Protection - file system encryption only; no per-file encryption key

Apple has really been on developers cases to tighten down the data protection classes for their apps on iOS.

In addition, iOS has a huge number of remote management options. Apple provides a basic management tool called Profile Manager in Lion Server, and there are third-party Mobile Device Managers (MDMs) that take the basics and go even further. You can force complex passcodes, pre-configure e-mail accounts, restrict usage of features, and so on. The enterpriseios.com site has a pretty complete listing.

One of the cool things about using iOS MDM is that all of the configuration profiles are tied to the management profile that gets installed when the device is first enrolled with the MDM. If you're in a BYOD situation and a user leaves on bad terms, the IT department can retract the management profile, which automatically retracts all of the other configuration profiles. This will delete corporate e-mail accounts, remove in-house apps (and their data!), take away VPN and 802.1X access, and so on, without erasing the person's device entirely. All of the pictures the person took are still there, not blown away as they would be after a complete device wipe.

Anyway, a few links that may help you out:

http://www.apple.com/iphone/business/integration/ [apple.com]
http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf [apple.com]
http://www.enterpriseios.com/ [enterpriseios.com]
http://consultants.apple.com/index.php [apple.com] - look for consultants with the Mobility specialization
https://help.apple.com/advancedserveradmin/mac/10.7/ [apple.com] - go into "Manage Users" --> "Profile Manager" on the right

Hope this helps.

--Paul

Re:iOS has encryption and management built-in (0)

Anonymous Coward | more than 2 years ago | (#40632165)

My question has always been: if someone takes an iPhone apart, can they bruteforce the passphrase?

Re:iOS has encryption and management built-in (0)

Anonymous Coward | more than 2 years ago | (#40632877)

You don't need to take the phone apart, you can brute-force it through the dock connector. A 4 digit PIN takes roughly 30 minutes to crack, and there are devices on the market right now that do it. They are primarily sold to law enforcement agencies. It doesn't just apply to iOS either, Android is affected as well. The best solution is to expand your keyspace by using a strong passphrase instead of a PIN.

Re:iOS has encryption and management built-in (1)

Spad (470073) | more than 2 years ago | (#40632473)

iOS MDM is pretty laughably limited, you can't even disable WiFi or Bluetooth through it, set a proxy server (other than as part of a VPN connection) or otherwise restrict web access without turning off Safari entirely. Apple being Apple, of course, if they don't offer it as a setting, you can't do it without Jailbreaking, which few companies really want to have to mess around with.

TEOPAD (0)

Anonymous Coward | more than 2 years ago | (#40632083)

You can use TEOPAD
Simple efficient but not free
http://www.thalesgroup.com/Teopad/

My state phones have sensative data send to me! (2)

Qubit (100461) | more than 2 years ago | (#40632167)

Oh wait, was this the article about spammers hiring better copyeditors so they could steal your data more better, or was it the other one?

We use MAS-360 (0)

Anonymous Coward | more than 2 years ago | (#40632195)

MAS-360 for both iPhones and Android Devices. Primarily for Email and contact management. Android Devices end up using Touchdown for Exchange with a policy that encrypts the data and forces secure use (passcodes etc). iOS devices use stock mail client with the service.

Remote wipe doesn't wipe the whole phone just the data involved. Location services etc...

Works pretty good.

Need Corp safe phone (0)

Anonymous Coward | more than 2 years ago | (#40632529)

The much maligned BlackBerry is the only game in town.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>