I’ve been retained by a few Fortune 100 enterprises to analyze the real effectiveness of ‘Remote Wipe’. So far, the research has not made me feel any better about the capability of remotely disabling access to data on a device which is lost or stolen.

So, a question for the group: Do you believe that remote wipe is an effective control to secure highly-regulated data?

Remote Device Wipe is very limited if you can only wipe devices that you can see in your console – usually if someone is snatching a device they do not stay on your network for long. Automated Device Wipe that can be triggered by configurable rules is a more useful technology as it can encrypt/remove critical data wherever the device may be.
Feel free to email me if you’d like more follow-up on the subject. You can also get in touch with my company at http://www.wavelink.com.

Here’s my biggest concern with what I perceive to be the false sense of security that remote wipe gives enterprises:

- I have not seen any implementation of remote wipe which does an actual forensically-sound data deletion (delete memory references + 3X overwrite with random data)
- Very few enterprises actually verify if the remote wipe command was actually acknowledged by the lost device (as inferred by BHill)

The fact that I can take a ‘wiped-through-ActiveSync’ iphone3 and recover all of the message store is just the beginning of the unraveling of remote wipe. With the new BlackBerry content encryption de-coders that are out, even the ‘best’ of the mobile security architectures are vulnerable now.

Can anyone argue that remote wipe is even an effective control anymore?

Sorry about the delay…
I reached out to one of our R&D guys for a better response to your question Aaron. He has far greater expertise than I, and here is his response/thoughts:

“Comes down to what is meant by “wipe”. Let’s go back to basics. If you have an old hard drive and you dispose of it, you might format it before you recycle it…just in case. However, basic formatting does nothing other than tell the file system that all the files are gone. With some undelete software you can recover everything. So let’s say you perform a full format, writing data to all parts of the disc. That procedure is better, but if you cracked open the hard drive and performed a forensic recovery using dedicated hardware, you can get back the data which has been overwritten.

To try and thwart that technique there’s software you can buy which will write to every area of a hard drive three times, making recovery of old data much harder. That background gives you the basis for paranoia when it comes to data on mobile devices.

Now, a Smartphone uses flash and flash doesn’t work like a hard drive. Flash also has an “interesting” characteristic, which means that every memory location has an expected lifetime for the number of writes which can be performed to it. To stop the flash failing, there is an algorithm which spreads the data over the flash evenly to prevent wear out. Your data is spread all over the flash chips and some clever logic coverts it into a readable format that looks like a hard drive file system. Now you want to do a “wipe”. Well, deleting all the files has a few problems:

1. If every delete of a file resulting in lots of writes it would wear the flash unnecessarily.
2. Many devices, such as an iPhone, only let a program you load write to its own space. For example, a calendar app can only write to files for itself, not other apps or data.

So, we stick a client on there which does a “remote wipe”. Well, in fact, on iPhone, you can’t do it. Apple says you can ask the OS to return to factory or you can delete just the files associated with your own app.

If somebody were to then do a “forensic” recovery by reading every memory location on the flash, then yes, they could conceivably recover the files on there. Coming back to the question – whether there’s software to do a full write to every location to permanently remove data. Honestly, I don’t see how that could be done well.

My advice would be simple. If you have a device with very sensitive data on it, then that data needs to be inside of an application which, by its very nature, encrypts the data. That way even if the data is recovered, it’s useless.”

Hope that helps!

I gawked when I found that MDM solution that enables remote wipe takes a 1/3 of the mobile project budget. From layman’s view, considering remote wipe seems overinvesting when you already use VPN and encrypt transferred data. Am I too naive?

Why is it so expensive? Because the MDM vendors are still charging a premium in an attempt to keep their product from beeing ‘commoditized’. Are any of them worth it? I don’t think so. ActiveSync does just as much as Good… or whichever product. Why pay extra for those when the technical baseline capabilities are the same.

Good would argue that they have extra features, but I would counter than those features are really just glitter in the grand scheme of things.

Now, does effective remote wipe matter? It depends on the device, the user, the organization and where the device is lost. If I was an Owens Corning employee who lost his device in China and the device had plant design drawings as attachments in my inbox… that’s a bad day for Owens Corning (because the Chinese are going to copy all of the processes to make fiberglass and then exclude them from the market through extreme competition).

In my opinion, if GRC is the only reason why a company deploys MDM, then it moves into the dumbing down of the solution. Why? Because GRC pushes the LEAST that should be done… not what should be done to protect the organization from the risks of losing information on mobile devices.

@BHILL – good info there – and great that your technical guys understand the limitations. So very few enterprises understand that ‘remote wipe’ is not really a ‘wipe’ but just a mere obfuscation in most cases.

The problem with “Remote Wipe” is that if you have employee owned (individually liable) devices, and someone leaves the company, “wiping” their phone is a Really Bad Idea. (If it is a corporate-owned device, then “Remote Wipe” either with Microsoft Exchange using ActiveSync or MDM can be a possible approach.)

The goal should be to disable and/or delete corporate access, information, and apps. There should be a “Mobile Access Policy” in place which the employee should agree to when given access to corporate email and/or in-house apps. We know that technically speaking it may not be possible to technically “enforce”, but having policies is critical. (I.e., when I leave the company I return confidential documents, info, etc., and agree to delete said info from my PC or mobile device.)

* * *

SUGGESTED APPROACH FOR EMPLOYEE EXIT WITH INDIVIDUAL-LIABLE DEVICES

(1) REMOVE EMAIL/CALENDAR ACCESS. Use Microsoft Exchange (or similar) to disable email account as well as other “logins” to systems. That would remove access to future email and data access (although existing email or data that was copied, backed up, or forwarded to gmail, etc. would still be there – that needs to be covered by policy).

(2) DISABLE IN-HOUSE APPS. Any “in-house apps” need to also be disabled from the “inside” (i.e., using an authentication/authorization SDK) with a solution such as EASE (www.apperian.com/ease) that governs access policy. On devices such as iPhones and iPads the apps cannot actually be “deleted” from the springboard, but access can be denied and any data within the app can be “frozen in concrete”.

(3) INTEGRATE “EXIT INTERVIEW” WITH TECHNICAL ASSIST. Have employee acknowledge that they need to return company information, and that they know that email access and apps will be disabled. If possible, have them bring in their device and “help” them delete “disabled” apps from springboard, or clean up and/or remove policies and email setups pointing to company configs. This is helpful and will provide both you and the employee with assurance that things are “cleaned up”.

Well, you said it: If I leave your company my “device is erased – period.” LOL! I’m glad I don’t work for your company!

OK, seriously, this is a typical approach in the regulated industries (finance, insurance) where “aversion to risk” is more important than innovation or empowering employees.

Now, since I brought my own device to work, I wouldn’t be so keen to have it “erased” the day I left! But I sure would agree that my corporate emai, apps and corporate data are no longer are accessible.

The balance between “nailed down” security and “reasonable” security is still a gray area. I would say that many Admins are fine with the security provided by MS Exchange, and the mail client included on the iPhone.

For those that need more Draconian approaches there are MDM solutions and “sandboxed” mail systems. And of course, “Device Wipe”!