Smartcard-based full disk encryption for mobile workers

As agencies become increasingly dependent on mobile and remote workers, they are also seeking new ways to secure their data and their networks -- and a new full disk encryption solution may help them with that challenge.

MobiENCRYPT, launched in early August by Toronto-based Route1, aims to ensure that even employees who are on the move or working remotely can encrypt data in use and at rest to mitigate the impact of security breaches. MobiENCRYPT lets users access their secure workspaces without placing sensitive data at risk. It integrates with the common access card (CAC) and a personal identity verification (PIV) cards, making it “more secure than one-time passwords or other software solutions that might be tied to the typical smartcard [ID],” Route1 CEO Tony Busseri said.

Encryption is handled on the authentication device, making it easier to manage, according to Alea Fairchild, entrepreneur-in-residence for Blue Hill Research.

MobiENCRYPT helps address the security risks related to both the user’s actions and the mobile device itself. The encryption is located on the authentication device, rather than the mobile phone or computer, easing pre-boot user authentication. That makes it easier to deploy secure encryption for temporary contract workers, and it addresses the risk of data-at-rest exposure with the potential loss or theft of a mobile device “because the data is not sitting on the device,” Fairchild said. Additionally, IT manager can more easily to do remote key revocation – limiting the insider threat that comes from a disgruntled or fired employee.

“For the user of the mobile device, it is as simple to install as a USB key,” she said. “The remote user does need any knowledge to do anything to his or her device, just plug in the encryption key with the smartcard as the authenticator and start working.”

“The data still resides on the network, and the mobile device does not expose the network to additional risk because of how the data is encrypted,” she said.

This approach takes advantage of government-issued CAC and PIV technology by leveraging the card to enable fast pre-boot authentication, according to Fairchild. Once encrypted, the government-furnished equipment remains encrypted after local and remote logins by authorized personnel. Other solutions offer local login access only, she said. And, unlike software-only solutions, Fairchild said that MobiENCRYPT allows for multifactor authentication without having to add remote nodes to the enterprise network or enable endpoint security.

MobiENCRYPT fills a gap in the government market around full-disk encryption, Route1 President Brian Brunetti said. Because laptops and mobile devices are quickly becoming everyday computing tools, even within the more secure agencies, the federal government wanted a reasonably priced technology to better protect mobile data and users. MobiENCRYPT costs about $100 per user per year for the first year and about $20 per user per year in subsequent years, including the costs of any hardware and software.

Busseri of Route1 suggests that MobiENCRYPT also gives federal IT managers a more “consistent approach to authenticating individuals and ensuring the wrong parties are not accessing data.”

Route1 has been working with the federal government since 2009, when it began supplying security technology to U.S. Customs and Border Protection. The vendor now provides authentication technology to the departments of the Interior, Energy, Commerce and Defense.

Editor's note: This article was changed Sept. 13 and 14 to correct errors about the nature of MobiENCRYPT, which is a software-based solution, not a card reader. It integrates with Route1’s MobiKEY, a hardware-based solution that includes smartcard reader functionality.