Why mobile data encryption doesn’t matter (as much)

This discussion about enterprise mobility is one of the five themes we will be focusing on at theVentureBeat Mobile Summit, on April 25-26. We’ve carefully invited the top executives in mobile to discuss the biggest challenges of the day, which, if solved, can lead to much faster growth in the industry. And at our enterprise session, we’ll have top executives around the table from a number of companies, including Verizon, AT&T, Sybase, Qualcomm,, and more. (If you think you should be part of the discussion, you can apply for a ticket.)

As long as I’ve been involved in enterprise mobility, the overwhelming security focus has been on data encryption: Over-the-air encryption versus at rest encryption; DES versus Triple-DES versus AES; 128-bit AES versus 192-bit AES versus 256-bit AES. You get the picture.

And for the past several years, encryption was almost certainly the right focus area. I definitely wouldn’t argue that data encryption isn’t an important part of a well-designed mobile security architecture.

I’m just not sure mobile data encryption matters -– at least on its own -– nearly as much as it once did.

Why? Because encryption, as a preventive measure, assumes the primary threat is coming from the “outside” – typically (but not exclusively), in the form of a hacker trying to intercept communications or extract data from a lost or stolen device. While such threats are real and you absolutely must guard against them, we’ve reached a crucial point in the evolution of mobile technology, and just as importantly, user behavior where the primary mobile security threat is no longer the faceless and malicious hacker, but instead the legitimate, fully authenticated owner of the device itself.

If this sounds surprising or controversial – it shouldn’t. In the “there’s an app for that” world we now live in, the greatest threat comes from the 100 percent well-intentioned end-user who is simply trying to be more productive and get more work done, more quickly. Not the hacker. Not the device thief. Not the disgruntled employee or ex-employee who purposely steals data or maliciously creates a security exposure.

Why? Because when faced with a productivity challenge, today’s mobile device users are much more likely to proactively search for – and also successfully find–their own solutions, with or without IT’s participation and blessing. This is especially true for the ultra-tech-savvy Generation Y that’s entering the workforce.

Real examples of the sorts of mobile productivity solutions that users finding and adopting on their own in huge numbers (to list just a very few) include Box.Net, Dropbox, Evernote, and GoodReader.

These are all great mobile productivity apps that solve real problems for their users. Unfortunately, from an IT security and compliance perspective, they also share another common trait:  they’re explicitly designed to replicate and share data with other apps, services, and/or users. This doesn’t mean these apps are “bad”.  On the contrary, their productivity benefits often directly or indirectly derive from the fact that they enable such sharing and replication.

However, this doesn’t change the fact that they represent very real data loss and compliance risks. And, unlike the “lost device” scenario, this type of exposure is much more difficult to protect against and almost virtually guaranteed to occur. If you don’t think so, just check the “top 25” list of Business and Productivity apps on your favorite application market place. It’s already happening.

It’s this relatively new category of risk – created by the well-intentioned user, not the faceless hacker – that will define how mobile security evolves from its traditional and relatively narrow focus on encryption and “lost device” scenarios to a much more comprehensive and holistic approach to data loss prevention. And that’s why encryption still matters – but maybe not as much, on its own, as it did a few years ago.

John Herrema is the senior vice president of Corporate Strategy at Good Technology. He submitted this story to VentureBeat as part of a series leading up to our Mobile Summit later this month.

VentureBeat is studying mobile marketing automation. Chime in, and we’ll share the data.