Microsoft Defends Windows Mobile E-Mail Security

Some experts have criticized Microsoft's smart phone software for failing to provide adequate levels of data protection, but the company says its push e-mail system is perfectly sound.

Responding to analyst reports that elements of its Windows smart phone software may leave users open to data exposure, Microsoft officials contend that the companys wireless e-mail application is secure enough for enterprise adoption today.

In a recent report published by J. Gold Associates, a wireless research company, analysts proposed that Microsofts decision not to offer file encryption capabilities throughout its Windows Mobile platform could leave users of smart phones running on the software vulnerable to data loss.

Unlike handheld software from rivals including Good Technology, Research In Motion and Sybase, Microsofts Direct Push e-mail system fails to offer encryption for data once it has reached a handheld, leaving the information open to anyone able to get his or her hands on one of the devices and defeat its password system, J. Gold said.

Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if someone hacks one of the handhelds password, according to Jack Gold, an analyst with the research company.

As much as lost or stolen laptops with unencrypted data onboard have become a significant pain point for enterprises today, the threat of unprotected information on an easily misplaced handheld could present even greater security challenges, the analyst said.

However, Microsoft officials said that Windows Mobile 5.0, the latest iteration of the product, provides users with the right balance of security and usability and does not put data stored on the devices at risk by failing to offer additional encryption.

With the features already built into the handheld software, along with aftermarket security tools available from its partners, the smart phone platform provides more than sufficient protection for enterprise workers who use the software, said John Starkweather, product manager of the Mobile and Embedded Devices division at Microsoft, in Redmond, Wash.

"Our intent is to provide a solution that works for most organizations; some may want additional security tools, and our partners can provide that and allow end users to encrypt everything natively on the phone," Starkweather said. "But most people dont want to encrypt everything on the device—most dont even do that on their PCs. There is such limited memory on the wireless devices, even smart phones, that using encryption like that slows performance down to a crawl."

Starkweather said that while RIM offers the ability for users to encrypt stored e-mail data, few use the feature because it weighs so heavily on device performance. By offering strong password protection and the ability to remotely wipe out information carried on the devices using third-party tools built to interface with the Windows Mobile application API, customers can protect themselves against the threat of lost and stolen smart phones.

/zimages/1/28571.gifClick here to read about Symantecs anti-virus software for Windows Mobile smart phones.

By linking Windows Mobile with its Exchange messaging server software in the way it already does, Microsoft is also trying to make it easy for IT administrators to manage security on the smart phone, he said.

"We can only work within the available parameters of the devices themselves," said Starkweather. "Our solution in linking Windows Mobile with Exchange is about leveraging existing infrastructure within organizations, including their mail servers and firewalls; organizations can feel comfortable in using the same security system for Windows Mobile-powered devices that they already use for their PCs."

Despite Microsofts defense of its system, Gold said that financial services firms, health care providers and other companies that operate under strict data-handling regulations may see the lack of additional encryption as a reason to go with smart phones running on software other than Windows Mobile.

"Microsoft has yet to say anywhere that they provide encrypted data storage on the device, which is the crux of the issue, not the data transport, which is done with SSL in Windows Mobile and is secure," said Gold. "The kill switch is fine but not sufficient for enterprise security needs, nor is the password alone."

Security for mobile devices is becoming a more high-profile issue as smart phones become more widely adopted. Some 51 million smart phones were shipped in 2005, representing a mere 6 percent of all wireless handsets, according to iGillottResearch. The research company predicts that the devices will account for 21 percent of handhelds by 2010.

J. Gold Associates contends that smart phones will make up roughly 10 to 20 percent of wireless device shipments over the next four years but expects that for business users, the number will be much higher, accounting for as much as 50 to 60 percent of all handhelds.

In September, the Trusted Computing Groups Mobile Phone Work Group issued a draft of its Mobile Trusted Module standard, which is meant to establish guidelines that help wireless device and software makers improve the security of their products.

A final draft of the set of product specifications is expected to arrive before the end of 2006, and aims to dovetail with other wireless security initiatives driven by groups including the Open Mobile Alliance, Open Mobile Terminal Platform, and Mobile Industry Processor Interface Alliance.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK SecurityWatch blog.