Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Encryption can't protect your data while you're logged in

Tony Bradley | June 24, 2013
If you don't use a password to unlock your computer, smartphone, or tablet, most encryption software won't protect your private or proprietary data if the device is lost or stolen.

But what if you're already logged in?
Can you see the problem with this approach? This feature designed to make encryption more convenient renders the data protection impotent as long as you're logged in.

Tripwire Director of Security Operations Andrew Storms explains, "If a thief catches your device in an unlocked state, they have a potential window of opportunity to access the data stored on that device."

That "virtually impenetrable" iOS encryption relies on your device being locked with a passcode. When you set a passcode in iOS, you can choose whether the device should require the passcode immediately, or in one minute, five minutes, 15 minutes, or even an hour. An hour! If you choose that setting, you're basically leaving your "encrypted" data exposed to potential compromise for 60 minutes.

The best way to secure the data on your mobile device is thus to configure the device to require a passcode after a relatively short period of nonuse. Set the time limit too short, and you'll find yourself becoming irritated by repeatedly having to retype your passcode. Leave it unlocked for too long and you give a thief plenty of time to access all your supposedly encrypted data.

According to Tripwire CTO Dwayne Melancon, "In an enterprise environment, a lot of these complementary policies can be driven using group policies—for example, requiring screen locking, passwords upon waking, and setting short timeouts for automatic locking and automatic locking when the lid of a laptop is closed."

While iOS and other mobile devices—as well as many other encryption tools—provide the ability to remotely lock or wipe the data from a device, that tool is useful only if you realize the device is gone. Every second your laptop, tablet, or smartphone remains unlocked while it's out of your control is time that your encryption is not doing anything to protect your data.

Tripwire's Storms points out that remote lock and wipe capabilities are no panacea: "On mobile devices, a clever thief will immediately disable all network access, so the device is unable to receive that remove lock or kill switch signal from corporate administrators."

A better alternative to timed lockouts might be to have some sort of Bluetooth, NFC (near-field communication), or other close-proximity wireless device that pairs with your laptop, tablet, or smartphone. Keep this device on your person, and if you move too far away, your mobile device will automatically lock to prevent unauthorized access.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.