Security in Hand
Security in Hand
PDA Defense Enterprise
While its fair to label personal digital assistants as the lightweights of enterprise computing, theres little doubt that heavy-duty corporate data often finds its way into these highly mobileand therefore easily misplaced or stolenbusiness devices.
With their heritage so deeply rooted in the home and casual business user community, weve seen convenience too often trump security in handheld device design. While handheld computers are growing more security-focused, businesses that depend on these devicesand on maintaining the security of the data they carrymust investigate third-party device-hardening solutions. (See eWEEK Labs analysis of security improvements on tap for future mobile operating systems.)
Companies can boost the security of handhelds with software that enables on-device data encryption and more rigorous password protection. eWeek Labs tested two such products, Asynchrony Software Inc.s PDA Defense Enterprise and Trust Digital LLCs PDA Secure Enterprise.
PDA Defense Enterprise
PDA Defense Enterprise provides data encryption and enhanced password protection for Palm OS, Pocket PC and Research In Motion Ltd. devices, and it offers an
Starting at $30 per seat, with volume discounts that kick in beyond the first 50 licenses purchased, PDA Defense is an affordable way to secure sensitive data stored on mobile devices.
PDA Defense protects data with 128-bit Blowfish encryption, and companies may request 512-bit keys from Asynchrony to boost this protection.
eWeek Labs tested PDA Defense on Palm OS and Pocket PC devices and found it fairly easy to secure the files and databases stored on our test devices. The client software for both platforms enabled us to check off the databases to encrypt, and on a Pocket PC-based device, we could also select individual files to protect.
PDA Defense provides for data encryption on removable media such as CompactFlash and Secure Digital cards by creating encrypted volumes on them.
Adding encryption to a handheld device can affect performance, since encryption and decryption boosts a mobile devices workload. In our tests, the time required to decrypt all the files, programs and databases on a typically data-laden Pocket PC amounted to about 15 seconds; this time can be cut significantly by encrypting only sensitive information.
The performance hit on our Palm OS device was more noticeable but was somewhat mitigated by PDA Defenses optional decrypt-on-demand feature. With this feature enabled, for example, PDA Defense did not decrypt our contacts database until we opened it.
PDA Defense replaces and extends the built-in password protection of the devices it supports and enables users to automatically lock their devices each time they are shut off or after a set period of time has passed. With the Palm OS client, we could also opt to password-protect specific applications.
In addition, PDA Defense enabled us to input passwords more conveniently using the hardware buttons of our devices.
For example, we could assign buttons to stand for specific letters of a password. This worked on both the Palm OS and Pocket PC platforms, but with Pocket PC it could be a bit confusing because buttons arent as consistent across devices as they are on Palm OS-based systems.
The real teeth in PDA Defenses security scheme is the softwares ability to wipe the contents of a lost or otherwise compromised device. With Pocket PC devices, PDA Defense wipes everything in a devices RAM. With Palm OS devices, the software wipes specific databases that a user has slated for erasure.
We could set the data wipe to be triggered either after a set number of incorrect password attempts or after a specific amount of time without synchronization. After a full RAM wipe, our Pocket PC was like a new device, with all its data and applications gone, and our Palm OS device was wiped of the data wed designated for removal.
For these reasons, its very important that users perform frequent backups of their data, which is a good practice for handheld device users, anyway. However, backups, particularly when backing up to a CompactFlash or other piece of removable media, caused a security snag in our testing.
We backed our Pocket PC up to a CompactFlash card, forced our device into a RAM wipe and restored our backup from the CompactFlash card. After the restore, PDA Defense was back on our test devicebut without an assigned password. We then had full access to the data on the device. Users can avoid this by keeping their backup card separate from their device.
Data stored in the flash ROM of a device is likewise not wiped but may be protected by creating an encrypted volume within the flash area. Asynchrony advises against installing PDA Defense itself into flasha forgotten password would render such a device unusable until its flash could be rewritten.
Administrators can configure devices under their care as they choose, using Asynchronys policy manager software.
We could create policy files that controlled whether and under which circumstances PDA Defense would trigger its bit-wipe feature, as well as control password length and composition and a variety of other settings.
PDA Secure Enterprise
PDA Secure Enterprise
Trust Digitals PDA Secure Enterprise bears a basic resemblance to PDA Defense in name and functionality but sets itself apart in its administration tools. Trust Digitals policy editor and server duo enable
The client software for PDA Secure comes in versions for Palm OS and Pocket PC devices and is priced beginning at $79 per seat, with volume discounts available. The PDA Secure policy editor and server cost an additional $5,000.
Upon setting up PDA Secure for the Palm OS platform, we could select three passwords: a global password for controlling access to the device, a local password for controlling access to specific handheld applications and a wipe password. The wipe password, if entered where a global or local password is called for, will clear the devices memory, as with PDA Defenses bit-wipe feature.
The Pocket PC version of PDA Secure works differently. It does not allow users to encrypt individual databases or applications. Rather, it creates a secure folder, which in tests we could encrypt with one of six different 128-bit encryption schemes.
In addition, we could not encrypt data on storage cards with PDA Secure, as we could with PDA Defense. Trust Digital markets a separate product, called SecureCard, that handles this sort of encryption.
However, what the Pocket PC version of PDA Secure lacks in encryption granularity, it makes up for in the close control it grants administrators over the ways a device under their care may be used.
As with PDA Defense, we could set our test device to wipe its RAM after a specific number of incorrect password attempts. We could also choose instead to lock the device, pending administrator intervention.
Administrators can disable infrared port and multimedia record and playback functionality on a Pocket PC, as well as disallow synchronization without entering an administrative password. This synchronization control is an advantage over PDA Defense, which would not be able to prevent an employee from syncing sensitive data from his or her handheld device to a home computer.
PDA Secure also allows administrators to restrict the times and dates during which users may access their Pocket PCs. (See
With PDA Secures policy administration application, we could configure all the password, encryption and access control settings on the devices we tested, and we found it easy to add users to administer by accessing lists of users on our Windows domain.
We could create groups of users and apply identical settings across these groups. In addition, PDA Secure enables administrators to install software on the devices under their care, and the policy and server software can be set to keep track of log-in attempts, infrared send and receive operations, and application usage.
Technical Analyst Jason Brooks can be reached at firstname.lastname@example.org.
: PDA Defense Enterprise">
Executive Summary: PDA Defense Enterprise
Asynchronys PDA Defense protects handheld device data with 128-bit Blowfish encryption, extends password protection and wipes potentially sensitive data in case devices fall into the wrong hands.
PDA Defense prices start at $30 per seat, with discounts available as volume increases.
(+) Can protect data on storage cards; password entry can be done using hardware buttons.
(-) Offers fewer management options than PDA Secure.
EVALUATION SHORT LIST
: PDA Secure Enterprise ">
Executive Summary: PDA Secure Enterprise
Trust Digitals PDA Secure Enterprise adds good encryption and password protection functionality to Pocket PC- and Palm OS-based devices, but it stands out most for its fine-grained manageability options. We were able to restrict the functionality of the devices we tested, as well as define hours and days during which the devices would be used.
Pricing for PDA Secure starts at $79 per seat, with volume discounts available. The policy editor and server software for PDA Secure cost $5,000.
(+) Extensive management options.
(-) Requires seperate application to encrypt data on storage cards.
EVALUATION SHORT LIST