We're concerned about the security of data on mobile devices if those devices are lost. We have more and more employees using smart phones and other mobile devices that have copies of our users' mailboxes as well as whatever company data (e.g., customer lists) that they copy to their devices. What can we do to protect that data?
You're right to be concerned, not only about the information on the devices but the passwords as well, because most of your users probably have configured their devices to save their password for synchronizing with Microsoft Exchange Server. That Active Directory (AD) username and password is often also their main account for accessing the rest of the Windows network. Windows Mobile protection of saved passwords has come under fire for being easy to break. Therefore, loss of a device could potentially result in that user's entire account being compromised, including all applications that depend on AD for authentication.
Asking users to configure mobile devices with a PIN is likely to meet with little compliance because of the inconvenience, especially because some poorly designed Windows mobile phone devices require you to enter the PIN just to answer an incoming call.
To reduce the risks associated with mobile devices, you should consider implementing the Windows Mobile 5.0 Mobility and Security Feature Pack and insist that all devices on your fleet either run Windows Mobile 2005 or fully support the client-side features of the Mobility and Security Feature Pack. In addition to the Mobility and Security Feature Pack's DirectPush technology that enables mobile devices to immediately receive new email messages and other mailbox updates as they occur, it introduces two crucial features for secure management of your mobile device fleet. Mobility and Security Feature Pack allows you to remotely wipe devices that are lost or stolen and also lets you set a policy that enforces the use of PINs. If a user reports a lost or stolen device, you simply log on to the administration Web page of the Mobility and Security Feature Pack on your Exchange server and issue a remote wipe command for that device. If the radio in the device is turned on, it will immediately wipe the device's memory and report back to the Exchange server so that you get positive confirmation. Otherwise, as soon as the device is turned on, the device will see the wipe request when it tries to connect to Exchange.
I recently left my Palm Treo 700w in a cab and immediately logged on to Exchange and issued a wipe command. As it turned out, the battery had already died and I later retrieved the device from the cab driver. I was able to log on to Exchange and cancel the wipe command before bringing the phone back up, thus eliminating the need to reconfigure all my phone settings. The key to making remote wipe work to mitigate risk is to train users to notify the Help desk immediately if their phone is lost or stolen.