So they can be excused for wanting just a little something in return: To be able to use their iPhones and Androids securely. From a recent Request for Information:

The primary purpose of this RFI is to discover new technologies and methods to support full disk and system encryption of the CMDs (specifically Apple and Android platforms) to include a pre-boot environment to load the operating system. The solution must use an AES-256 bit encryption algorithm compliant with FIPS 140-2 as published by the National Institute of Standards and Technology (NIST). In order to meet this objective, DARPA extends an invitation to industry and universities to submit a whitepaper with ideas/concepts that describe an innovative existing technology approach that can be deployed in less than 90 days.

Currently only Blackberries and high-end secured phones are allowed in many DoD environments, meaning Angry Birds is out. It sounds like DARPA is looking for a full-drive encryption bootloader to pick up where the consumer-friendly Droids and iPhones have left off. To be fair, Apple has beefed up its security offerings in recent iterations (with a few nay sayers), but the business need isn’t new. In my time reporting on mobile devices, I’ve heard any number of security schemes to get around security concerns: Everything run as SaaS, with no sensitive local data stored; A specialized encrypted card that held or encrypted and decrypted the data; and a number of virtualized environments that sat (supposedly) securely inside the everything goes-consumer devices.

It will be interesting to see what DARPA picks: Freedom of Information request, anyone?

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

From possibly causing cancer to posing a major security risk to the enterprise, the smartphone just can’t cut a break. The truth is, smartphones are here to stay, especially in the enterprise. Like many other IT versus the world conflicts, the solution isn’t a yes or no policy to their usage, but a set of security policies and guidelines just like with any other technology adapted by the enterprise. Smartphone security and encryption can be a tricky road to navigate, so take a few things under consideration before deciding.

Assessing the Situation

Like any other policy, there are several factors that go into the crafting of mobile security. Here are a few points to consider when discussing options amongst your team:

• Rather than looking for the cheapest (or the free-est) application available, assess your company’s mobile encryption needs before beginning the search. Minimizing time wasted will minimize the frustration and loss when incorporating mobile phone security into corporate policy. If you need support for multiple smartphone operating systems, start your search with that detail.
• Part of your assessment should include your enterprise’s primary security focus and needs. Whether you need the option of remote data-wiping or authentication, knowing these details ahead of time will help to increase efficiency.
• Once you’ve decided the features your users and data need, you need to allocate some of your security budget to ensuring the data on and accessed by these smartphones is secure.
• Just like endpoint security has lowered the risk of laptops remotely accessing networks, smartphone encryption software can help you adapt to the changing nature of the enterprise. To better ensure the smooth incorporation of these devices into your operations, you’ll need to incorporate them into the in-place central management system. Treat mobile devices as normal factors in everyday operations (rather than a device sent solely to cause your headaches) and implement its use and security like any other enterprise-level product.

Some smartphone encryption options after the jump.

Understanding Your Options

Here are just a few options for smartphone security and encryption:

• Built-in smartphone encryption: This out-of-the-box encryption is rare and often lacking certain necessary features. The iPhone offers remote wipe capabilities in the case of loss or theft; though there’s not much else available for the platform. Apple’s insistence that the iPhone is enterprise-ready is continuously met with skepticism. The PalmOS has applications available, though it does not offer built-in encryption.
• Blackberry lovers: For those addicted to their Blackberry, they offer Blackberry Enterprise Server (BES), which includes local data file security, central management, and AES encryption on authentication passwords.
• Windows Mobile: AES 128-bit encryption for emails, tasks, calendar and a My Documents folder, with the option to enable this security on SD cards, which will then be unreadable on all other mobile phones.
• One Size Fits All: Smartphone Protection from GuardianEdge Technologies Inc. provides encryption and central security management for iPhones, Windows Mobile and Palm.

One of the most important parts of any policy is allowing for more efficient working conditions without compromising security. By exploring your options, you’ll be able to embrace the inevitable adoption of newer technologies while minimizing the anxiety of new threats and vulnerabilities.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

I served on a mobile security panel at Gartner this week with Larry Ponemon and my esteemed colleague Stan Gatewood. The insight they brought to the table from both a research and a real-world perspective was phenomenal. I think our discussion served as a strong reminder to all of us that businesses are no where close to where we need to be when it comes to protecting our mobile storage.

For instance, Dr. Ponemon did some research – backed by Intel – that found:

• There’s a $20,000 cost reduction between lost laptops with encryption versus without
• The average cost of a lost laptop is over $49,000

Also, the people in the audience were asked to raise their hands if their business has ever experienced a lost or stolen laptop. All but maybe three or four of the hundred or so people in the room raise their hand!

I go back to what I wrote about nearly three years ago in my blog post What’s it going to take to encrypt laptop drives?! Seriously, what is it going to take? Nothing’s really changing.

Another neat takeaway is Intel’s (relatively) new Anti-Theft technology that’s worth checking out. It works in conjunction with drive encryption from WinMagic and PGP as well as asset management/tracking from Absolute and effectively disables the system when a loss or theft has been detected.

We can have optional mobile storage security options until the end of time but I’ve always believed that unless and until computer hardware manufacturers integrate controls that facilitate mobile storage security, such as Intel’s Anti-Theft, at the factory we’re going to continue having mobile storage exposures.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.