Background
Encryption of GIS information on a mobile device has been a topic for a good few years now. No organization wants their data in the wrong hands and when talking about mobile devices that are not behind a secure door then this is all the more likely.
During a RFP process or as a general discussion with existing clients our opinion has always been that having security and encryption at the application level (GO! Sync Mapbook or Microsoft Outlook for example) does not really solve the problem.
All applications and content on the device and not just the GIS data need to be protected. The real solution is to secure the operating system and encrypt the contents of the hard-disk.
This means that people who manage to get a hold of a laptop will not be able to get access to your corporate data even if they open up the machine, take out the hard-disk and load it as a secondary drive in a different machine.
This encryption extends to all information on the hard-disk not just the GIS data and using this approach means that one application can be used instead of a different solution for each application installed on the device.
Solutions
There are many hard-disk encryption solutions out there and doing a search for encryption software gives many results.
The idea behind most of these systems is that when the device is started the user is asked for a password at the BIOS level. On successfully entering the password the software will allow access to the encrypted disk. This means that the user does not have to type in a password for each application but rather one global password at the startup of the machine.
First on the list is one that a client of ours has been using for some time now and likes which is Safe Guard. Prices start at $249 a license and go down pretty quickly when you start buying more than one.
Microsoft are also supporting disk encryption with their latest and greatest operating system Windows Vista if you buy the Enterprise or Ultimate version and goes by the name of BitLocker. The advantage of this approach for a corporation is the use of Active Directory (AD) is that all administration is done through AD and will be mean easy training for existing staff.
Now that Vista is supported on ArcGIS Engine this is a possibility.
Conclusion
Encryption of data is an important aspect of deploying a mobile solution but not just for GIS. All of the information stored on the device is sensitive from documents, email, work orders to customer data and asset information and needs to be considered when planning a encryption solution.
Disk encryption is our opinion on the best approach and from what we have seen and heard Safe Guard is a good solution. For those who are making the move to Vista (on specific editions) then disk encryption will become part of the Windows OS.
Encryption related to mobile devices security is a big problem for any organization, and usually the last one to take care of. It is not until something happen when people get interested and they see the importance of it.
Encryption of the data is the most important aspect in any mobile application. But it can be expensive and difficult to implement. Based in my experience, there is not an easy approach.
A full encryption of the disk is great, that is the way to go. You can buy third party software, but it can get expensive. Just multiply the $249 for the Safe Guard licensing by the number of mobile devices, and you will see that number go up. I am not sure what is the Safe Guard licensing, but for other companies the encryption is a service, and it has annual fees attach to it if you want to use the service as on-going basis. There are other third party vendors that can encrypt the complete disk; SecurStar, XTool Mobile Security, etc.
There are also hard disks you can purchase that they are already encrypted, Seagate’s Full Disk Encryption, but they can get expensive and in some instances they do not support all the OS. Also, they are available from hardware vendors as Dell. Other hardware vendors do not offer this option, for example Panasonic (based in our experience they rugged computers are the best for field workers).
The problem I sow with encryption with Windows OS is the support with other software. For example, most of GIS applications are not “fully certified” with Vista OS. Also the cost is higher per license. There is also some “encryption” you can do with Windows XP, but we did not implemented successfully in our testing. I do agree that this would be a great solution as well, but I am just not sure how fisiable currently is to implement as there are very few examples of organizations doing it.
There is also an encryption solution that only encrypts a partition of the disk. This is a cheaper solution and in some instances easier, but it has the risk of passwords lost, insufficient memory for some applications, etc.. If you can not get a full encrypted disk, an encrypted partition could be an easier solution as some applications can not run if they are encrypted. Also, you can implement it in more mobile devices.
There is not one perfect approach or solution; it will depend of your organization and your requirements as well as your “policies”. One thing I would like to see is for software developers to incorporate some type of “security” in their own software and applications. That would be an incredible selling point. It can be something pretty easy as, for example: GoSync folders that contains the GIS data are hidden from the OS, if an user enters the wrong password more than 5 times, the data will be totally deleted. The user would need to get a fresh copy next time they sync.
There are probably other solutions that would accommodate similar approach. That is something I am looking forward to see; stand alone solutions from vendors related to their software or “team up” with third party vendors. For example, I know NISC (www.nisc.coop) is working is some type of “security” in their Mobile WorkForce interface.
In relation to mobile security, other thing to take in consideration is to protect the hardware. Yes, your data could be secure, but you still would need to replace a $4,000 laptop and, if done properly, you can still get data from the hard drive. You need to take a more active approach for protecting your devices as well, keep the honest people honest.
Things such docking stations that locks the computers are great, or even lock cables. Also, you can use StopTheft plates (stoptheft.com) as an inventory/security approach. Also, have policies in place to protect your hardware and data to ensure that the user and/or the organization are not responsible for the lost.
Unfortunably Henry Wellcome did not think in computers, that is what we need, a new type of invisible ink….
Diego Portillo