The need for mobile data security has been widely recognized. Access to data on electronic devices has tracked the capabilities of the devices on which the data could be rendered in a format that people could access. In early data processing systems, the data was resident on the source computer (typically a mainframe or minicomputer) and displayed on an external device such as a ‘dumb terminal. The display of data was ephemeral in the sense that the dumb terminal had no local storage and was strictly a display device. All actions (reading, writing, or modifying data) on the device were manipulating data on an external device. Also, the data no longer existed on the device once it was turned off. Therefore, the data was as secure as the backend mainframe computer, and there was no need for extra measures to be taken to provide data security on the external device.
As the personal computer era began, external devices became more capable, and the provision for local storage allowed some data storage on the external, connected device. At this point, data could be transformed on the backend device into files or datasets and transferred to the external device where they could be stored, viewed, and manipulated on the external device. With the advent of data being stored on the external device, the security of the data on the external device became a concern—especially when the data was sensitive and not intended for general viewing.
The need to secure data exported to an external device led to the development of a number of security mechanisms. Each security mechanism addresses one or more particular weaknesses that can be exploited in order for an unauthorized user to be able to access the data. Physical security of the external device has played a key role. Other approaches have used the capabilities of operating systems or file systems (e.g., password controlled login to access device capabilities, the use of access control lists (ACLs) to determine which user(s) can have access to data on the device) to limit the ability to open a file to users who have been properly authenticated. Still other approaches prevent data that is authorized to be on one computer from being moved to another computer.
The move toward web access via web browsers and thin clients can be viewed as a move back toward the traditional data access without local storage. However, performance considerations have led to implementing these approaches such that the devices use a local cache of data that remains resident on the browser-based or thin client device. In these scenarios, security may be improved if care is be taken to store cached data files in an area of local storage that is accessible only to authorized users, or if data in the local cache is deleted upon user logout, or if similar procedures are adopted. It must be recognized, however, that data does exist on the external device for some period of time while the user is accessing a browser-based or thin client system. Therefore, it is important to realize that the security of data on these devices with limited local storage remains an important issue. Though the data on these devices may be in a different format (e.g., file type) and somewhat more ephemeral than a desktop computer, the data on the device must still be secured as ‘on device’ data until it is deleted from the external device.
It should be noted that mobile devices (such as Research In Motion's BlackBerry devices, personal digital assistants (PDAs) such as PalmOS and PocketPC devices, and cell phones with BlackBerry or PDA capabilities) were originally treated as devices with limited local device storage. However, as these devices evolve to contain more storage, more processing power, and better displays, they are becoming more like un-tethered versions of more powerful devices such as laptop computers. Also, as with laptop computers, reliance on physical security of the device as a front line of security for data on the device is less effective as the devices frequently move in and out of physically secure environments.
As reliance on physical security has diminished, other security mechanisms have evolved to address the issue of data security on external devices. Since many external devices have access to the internet, security mechanisms have been developed to take advantage of this capability. The best example of this newer kind of data security is seen in security measures that may be taken for devices that typically are ‘always on.’ For example, cell phones can be deactivated remotely by the cell phone carrier if they are reported lost or stolen. Even when the phone is turned off, the phone aspect of the device can be defeated by making the backend infrastructure disallow the use of the phone when it is turned back on or re-enters the carrier's network coverage area.
It is recognized, however, that defeating one particular feature of a device (e.g., the ability to place a call on a cell phone or Smartphone) does not provide security for data on the device. Therefore, more aggressive measures have been developed to secure data on networked external devices. The most widely recognized example of this capability is the ‘kill device’ capability of the BlackBerry Enterprise Server (BES—from Research in Motion). The ‘kill device’ capability allows the BlackBerry infrastructure administrator to indicate that a given device should be rendered unusable. The infrastructure software then looks for the device on the network. If it is found, a command is sent to the machine that deletes the data on the machine and disables some of the device's capabilities. If the device is not found on the network, the support software remains vigilant for the next time the device connects to the network. When that activity is detected, the ‘kill device’ command is sent, and the device's attempted connection fails (after the ‘kill device’ command has performed its duties).
This capability performs more thorough security than merely disabling the phone or one of its features. By deleting the information on the device when the ‘kill device’ command is executed, the time during which any data on the device may be accessible by potentially unauthorized users is minimized. This security mechanism has worked well for devices that are intended to be ‘always on’. However, for devices that can be intentionally taken off the network (e.g., BlackBerry, laptops, etc.), there is always the chance that the device was ‘off network’ when it was lost or stolen. This would leave a ‘kill device’ command partially ineffective since the data could be copied from the device before it is put ‘on network’ where it could receive the ‘kill device’ command.
As indicated above, the proliferation of mobile information devices has broadened the scope of data and information security. Security concerns focusing on the security of corporate servers and access to those servers remain a key component of any prudent security effort. However, corporate security officers must concern themselves with the protection of the data they provide for the complete lifespan of the data. The focus has broadened from security of the data on its server ‘home’ to security of the data wherever it is—including mobile devices such as PDAs (including BlackBerry, PalmOS, and Pocket PC devices) and mobile phones.
With data security needing to address the complete data ‘lifespan’, corporate security officers need to define the data lifespan so they understand it, measure it, and—with the proper tools—control it. Determining the data lifespan on a corporate server behind a firewall is relatively easy. Data exists from the time it is placed on the server until it is removed from the server. Of course, the data may continue to exist on backup tapes and other offline archives for corporate or regulatory purposes, however, the security of these archives is primarily physical security that is well understood. Data security on servers includes efforts to protect the physical and network access to the data. Since this aspect of data security is well understood, data is often allowed to exist on the server for extended periods of time. Controlling the data lifespan on a server has been the primary focus of data security efforts to date.
In terms of mobile data security, however, this server-centric point of view has led to a focus on access and authentication measures. These measures are designed to restrict unauthorized users from accessing the data. Application software also uses access controls to restrict authorized users to specific subsets of the data that reside on the server. Once a user is authenticated and granted access to the data, the data is typically transmitted to the device in some format. The formats range from simple (e.g., viewing a web page that displays the data) to complex (e.g., a dataset represented as an XML document or Excel spreadsheet).
Transmitting data to an external device creates a new instance of the data with a lifespan that is independent of the source data on the server. Mechanisms such as TCP/IP packet encryption have been designed and deployed to prevent data from being intercepted while in transit to an external device. However, once data has been transmitted to an external device, the data leaves the reach and protection of most legacy data security and protection schemes. In almost all cases, keeping data secure relies on trust in external mechanisms (e.g., the browser cache being cleared at some future point) or trust in the users themselves to protect the data and delete it at some point.
Originally, delegating responsibility for data security to the user or to an independent mechanism on the local device was viewed as sufficient. This delegation was acceptable since the data transmission was typically made to a desktop machine where the physical security of the system could mitigate some of the risk. The emergence of laptop computers, however, lessened the degree to which it was acceptable to delegate data security to the user and the local device's native mechanisms. As devices have become smaller and more powerful, the risks of loss and/or theft of the device or of data on the device have reached the point where corporate security officers need the ability to directly manage and control the security and protection of data that has been transmitted to mobile devices.
Some recent approaches to data security and protection have taken a more active role. These approaches recognize the need to take some responsibility for data security even after the data has been handed off to a mobile device. Given the dynamic nature of data accessibility, any user's permission to access certain information is subject to change. Even after an initial permission is granted, situations may dictate that this permission be revoked for reasons such as change of employment status, re-categorization of data sensitivity, or data deemed incorrect that would require a data refresh (while making the ‘bad’ data unusable). The need to revoke data that is considered ephemeral may be perceived as not needing this kind of revocation (e.g., web—based data access) even though it can be more persistent than data providers may realize, given the ability to save web pages, scrape data, etc. However, there is a distinct need to be able to revoke data access for data that is explicitly delivered for persistent storage on a mobile device.
The ability to revoke access to data on a device that may or may not be on the network requires a multi-faceted approach, since it cannot be assumed the data can be revoked on demand. One current approach permits the data provider to send a ‘delete’ directive to a specific mobile device. For example, Research In Motion's BlackBerry Enterprise Server (BES) or Microsoft's Exchange 2003 server with SP2 implements a mechanism that allows a server administrator to send a command to the mobile device that directs it to delete or render inaccessible specific data on the device (e.g., contact list and email messages). This can be useful in situations in which a mobile device owner reports a lost or stolen device, as discussed above, or when an employer reports a device that was not returned by a former employee. This approach can be effective. However, it has shortcomings that make it less-than-desirable:                Need to be on the network to receive the ‘delete’ command. Pushing a delete command to a mobile device is reminiscent of the cell phone heritage of many of today's mobile devices. Since a cell phone must be on the network to be used, and the primary concern of the owner of a lost cell phone was the cost associated with the unauthorized use of the lost cell phone, it was an acceptable practice to render the device useless once it was detected on the network (and thus able to be used). However, the ability to take a device offline leaves all of the unencrypted data on the device exposed to offline recovery attempts. On many popular devices, this means that names, phone numbers, and corporate data can be obtained by anyone who possesses the device. As devices began to incorporate easy mechanisms to take the device offline (e.g., BlackBerry devices readily allow this to allow their use as a PDA in communications-constrained environments like airplanes), the security of data on the device has lessened.        Need to re-populate data after the device is lost or recovered. Mobile devices with data connections have historically had markedly lower bandwidth access to networks than their wired counterparts. Thus, the choice to delete the information from a device when protecting a lost or misplaced device requires any deleted data to be re-sent to the device if the device is found and needs to be re-activated. Though this is a minor inconvenience compared to losing the data/device completely, and this action can be mitigated somewhat using a docking station that is wired to a desktop computer, the problem of having to re-populate datasets on remote devices will not be diminished as the storage capacity and capabilities of mobile devices continue to grow. Bandwidth constraints on the transmission of data to mobile devices via telecom networks are a major concern when considering the need to re-populate a device's data.        
As all data provisioning becomes viewed as potentially providing data to a mobile device, this topic indicates the need to integrate data security with data delivery whenever and wherever data is provided for later storage and use by the user. This antiquates the idea that some data is mobile and some isn't. With today's smaller removable storage (USB drives, Secure Digital cards, etc.), it is prudent to consider that all data may become mobile data and needs to be secured accordingly. The present invention embodies improvements that can be made to mobile data security to provide capabilities beyond those currently available in the art. The present invention can both (a) protect application data when the device is offline and (b) re-activate application data without needing to re-populate it from the server.