Will new commercial mobile encryption affect BYOD policy?

Mobility

While law enforcement is up in arms about new default data encryption on Apple iOS and Google Android devices, experts say the policy could have some benefits for federal mobility as well.

Apple and Google are banking that consumers will want increased security for data stored on their devices. The default encryption policy means codes that unlock phones are known only to the users who set them, and can't be cracked using garden-variety cryptographic attacks. The companies can't share unlock codes with law enforcement, because they do not know them.

According to FBI Director James Comey, this is potentially disastrous for public safety. In a speech last week, he warned of potentially dire consequences for law enforcement from the encryption of data stored on devices, or data at rest. Comey worries the FBI won't be able to access sought-after data, even with a legal warrant or other authorization, because the companies are not maintaining a back door for law enforcement.

The flip side is that a lost or stolen device will not yield up its secrets -- an important feature for federal employees and other users who trade in confidential, non-public or secret information.

The Mobile Security Reference Architecture (MSRA), the CIO Council's handbook for mobility management, lists encryption for data at rest as a key security feature. David Carroll, chief federal architect at cybersecurity firm FireEye, led the team that wrote the MSRA when he was at the Department of Homeland Security. Carroll told FCW in an email interview that "in general, integrated and device implemented encryption is a benefit to users for protecting data at rest from compromise and making it difficult for malware to run due to the required access to the containers and [encryption] keys."

There are a few "buts" here, Carroll noted. There is the potential problem of lost data, which can be magnified when a fed is using a personal device connected to an agency network. "Agreements for [bring your own device polices] will have to cover restoration of access to government owned data on the device if they are used for government use," Carroll told FCW.

There will also need to be a significant degree of trust. The way encryption works, making a unique and virtually unbreakable key out of an access code and hardware embedded in the device means it would be "difficult for federal network administrators to escrow or keep a secure copy of the keys so that access can be restored to the data if the employee isn't able, or the device isn't accessible independent of the owner or user," Carroll said.

Here is the original post:
Will new commercial mobile encryption affect BYOD policy?