According to a test by Ars Technica, Microsoft is intercepting, decrypting, and reading at least some Skype messages — to the point where URLs embedded in Skype chat are being visited by machines at IP addresses belonging to Microsoft … most likely a bot, but potentially a human being.

“And this can only happen,” Ars’ security expert Dan Goodin writes, “If Microsoft can convert the messages into human-readable form at will.”

Skype currently uses 256-bit AES encryption to secure communications between users, which is considered very secure. Secure, perhaps, but not necessarily private. When Ars sent messages via Skype containing four web links created specifically for this experiment, two of them were accessed by a Microsoft-controlled machine.

Skype’s privacy policy openly states that Skype may check instant messages and SMS texts for spam, fraud, or phishing attempts, and, in some cases, have a human being check them. Ergo, we can decrypt our own encryptions and can know what you say and know what you send.

Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. In limited instances, Skype may capture and manually review instant messages or SMS in connection with Spam prevention efforts. Skype may, in its sole discretion, block or prevent delivery of suspected Spam, and remove suspicious links from messages.

That’s not good if you have an expectation of and desire for privacy. And now that it’s obvious that Microsoft itself can read your private messages, the question is, who else has that ability?

Almost a year ago, the FBI requested private backdoor access into multiple communication and social networks, including Facebook, Twitter, and, yes, Skype. Wiretaps are increasingly useless, the FBI realized, and modern communications were defeating the bureau’s attempts at surveillance. Whether the requested access was ever granted is unclear, but Microsoft has a patent on ways to make it happen.

And Skype’s terms of use also say the company can route your communications to law enforcement agencies:

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

However, if you want more security — and privacy — on Skype, you can have it. You simply have to pre-encrpt any messages (as a Polish professor discovered) and then decrypt them on the receiving end.

I won’t do that, and most Skype users won’t do that, probably because we’re not discussing matters of national security or engaging in nefarious behavior. But it’s disappointing, if only the cold slap of reality in a dangerous and violent world, that private isn’t really private any more.

And it would be nice to know the exact limits of Skype privacy and security.

I have talked to a Microsoft representative about this story and am awaiting a statement or comment from the company.

Just like the rest of the security community, Jimmy Wales, founder of Wikipedia, is worried about state-sponsored cyber attacks. The Wikipedia founder refuses to put up with censorship and is rallying for an open Internet that gives everyone free and unfettered access to information.

“The rise of state-sponsored attacks against companies is something we do worry about,” said Wales in an interview with VentureBeat. “Security is very important for us because if an authoritarian state wants to de-anonymize an account, that’s the type of attack we can expect.”

Wales said that, while Wikipedia hasn’t completely escaped being poked and probed by hackers on the Internet, it hasn’t been a huge target. Wikipedia doesn’t store credit card numbers or a lot of personally identifiable information. But Wales’ organization does hold information that countries, such as China, have been known to block. People contributing information about topics related to those countries could be interesting targets.

“I think in many cases our first job is to be as well-known as possible so that if you shut [us] down it’s a big deal,” he said.

As far as China goes, Wales said the Wikipedia relationship has been growing. China recently blocked Wikipedia’s website wholesale. Now, select pages are allowed through, which Wales attributes to conversations the organization has had with China.

But Wales promises that Wikipedia will never cooperate with censorship. He was disappointed when Google decided to enter China and made compromises in order to stay there because it believed that it could do more good being in China than staying out of the market completely.

“Wow, if Google will do this, someone really has to stand up and say that is not right,” said Wales during a presentation at the RSA Conference in San Francisco. “Thank goodness Google has come to their senses and pulled out of China, which I think is the right thing to do.”

He said he is impressed with a number of security technologies that support privacy and freedoms of speech. One of them is encryption, which Wales calls “a driver for human rights.” Encrypted messaging apps such as Wickr and Silent Circle are examples of this type of technology; they allow anyone to send messages and, in some cases, make encrypted calls that will never be saved on a sever.

Image via Meghan Kelly/VentureBeat

The new file storage and sharing company from Kim Dotcom launched last week with intent to let you securely send and receive files in the cloud. But some researchers are saying that you should not trust Mega‘s encryption.

“Quite frankly, it felt like I had coded this in 2011 while drunk,” Nadim Kobeissi, the founder of CryptoCat, told Forbes.

Mega promises that all your files are encrypted while being transferred or stored and that you are the only one with the power to grant people access to those files. It says that you don’t have to download anything — “It’s all done in the browser!” That is, you, the user, hold the “decryption key” in your browser, as opposed to the cloud service provider holding the decryption key.

This means that not even Mega can get into your files.

But as Forbes notes, researchers are saying this is easily broken into since the encryption is actually being handled all through code between Mega’s encryption server and your browser. Someone could theoretically jump into Mega’s servers, mess with the code being sent to your browser, and grab, change, or eliminate your decryption key.

Mathais Ortmann, Mega’s CTO, however, says that researchers didn’t check their facts. Mega explained to VentureBeat in an email that the site uses 2048-bit SSL, and says that a previously discovered cross site-scripting vulnerability was fixed an hour after it was originally reported to the site. Ortmann also says the company is working on a way to let users change their passwords — an issue that originally meant users would lose their content forever if they forgot their password or were hacked.

Some are saying the encryption might just be a way to alleviate Mega of any legal responsibility for copyrighted material — the issue Kim Dotcom had with MegaUpload. If all the data is encrypted, beyond Mega’s ability to decrypt and know what kind of data is flowing through it, then it seemingly can’t be held in court for copyright infringement.

DotCom announced yesterday that the site, which launched last week, has already seen upward of one million users sign up. Of course, there’s no corroborating evidence, but the traction might make sense. MegaUpload, DotCom’s original company that got him arrested for copyright violations, money laundering, and other charges, claimed to service 4 percent of the Internet. All those users were dispelled after the shut down, and many loyalists might have flocked to Mega upon launch.

via Ars Technica; Kim Dotcom image via Abode of Chaos/Flickr

Wojciech Mazurczyk (10 points if you can pronounce that name) has found a way to hide data in the 70-bit packets that Skype sends by default when it’s detecting silence … when you’re not talking. Skype itself does nothing with these packets when it receives them, but Mazurczyk’s team has discovered a way to intercept and decode them anyway, according to New Scientist.

An even higher level of secrecy might seem like overkill for an already-encrypted call, but Skype is owned by Microsoft, and we know that 3-letter American government agencies want the ability to monitor your digital communications on Skype and social networks … and have asked Microsoft, Facebook, and others for backdoors in their communications technologies.

Microsoft does have a patent application in process called “Legal Intercept” that enables the ability to record “any kind of voice-over-Internet-protocol (VoIP) communications” by re-routing messages over “a path that includes a recording agent.”

It’s unclear at this point whether law enforcement agencies are actually intercepting and listening to Skype conversations, but the Skype privacy policy does seem to allow for it, including the actual “content of instant messaging communications, voicemails, and video messages” in a long list of data that Skype collects on its users.

And this clause basically says that what you do or say on Skype could be disclosed and, I suppose, used against you in a court of law for basically any reason, including the fairly nebulous “protecting Skype’s interests:”

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

All of which goes to show why security researchers might be tempted to find ways to use probably the most popular VoIP app on the planet without airing their private conversations for anyone in law enforcement to enjoy.

A Microsoft representative I contacted for comment could not speak about this issue immediately (it is, after all, the weekend). A Skype representative, similarly, is conferring with the company’s chief security officer, who is based in the UK, before commenting.

Mazurczyk will be presenting his team’s work and findings at a steganography conference this summer in France.

photo credit: Chris Pirillo via photopin cc, Vince Welter via photopin cc

If you’re only protecting your enterprise’s perimeter, you’re not doing enough. Cloud encryption company CipherCloud, which just announced a $30 million first round of funding from Andreessen-Horowitz today, knows that it’s the data inside that cyber-criminals really want.

The best way to protect the cloud is still very much up in the air. Protecting the perimeter, or only accounting for the point of entry into your system, doesn’t help you when the bad guys get in anyway and start messing with your data. Just putting up firewalls doesn’t seem to work anymore. Now we’re sending our data out of the locked-up gates into the cloud, so CipherCloud encrypts that data before it ever reaches your cloud applications.

The data is encrypted in such a way that your cloud applications can still make use of the data, but in theory, it’s much safer since you hold the keys that decrypt it. You can also change the level of encryption you have based on your company’s needs. It works on applications such as Salesforce, Microsoft Office 365, Amazon Web Services, Google apps, and more.

It also uses tokens to protect the data in instances where encryption isn’t an excepted form of security. Some industries have different regulations on security measures, and CipherCloud caters to a range from banking institutions to healthcare. The tokens allow businesses to store their data on premises and then send a token — which is a form of the data, but not the exact file you want to protect — out to the cloud application.

CipherCloud faces competition from Vaultive and other such companies. Vaultive, which specializes in Microsoft Office 365 and Microsoft Exchange 2010, also encrypts an enterprise’s data before it reaches the cloud. It received $10 million from New Science Ventures, Harmony Partners, and .406 Ventures in February.

This is the first round of funding for CipherCloud, which was founded in 2010. It has 40 enterprise clients, and within that, 1.2 million users.

Cloud diagram via CipherCloud

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

While the bulk of mobile security research is focused on intentionally malicious apps, it’s the benign ones that you should really be afraid of.

That’s the latest conclusion made by Android security researchers, who found that dozens of Android apps had lax security that exposed user data to theft, Ars Technica reports.

At the core of the researchers’ exploits are so-called “man-in-the-middle” attacks, which steal data by piggybacking on compromised WiFi networks. Once users connect to them, hackers can strike, intercepting poorly encrypted data such as banking information, log-in credentials, emails, and instant message transcripts.

These 40 or so apps, researchers say, are used by as many as 185 million people, few of whom are aware of the issues. Fortunately for app makers, the researchers were kind enough not to share the names of these insecure apps, which isn’t exactly helpful to those Android users who might have them installed.

Much of the problem, the researchers say, lies in poor implementation of encryption protocols by app developers, who they say aren’t as focused on data security as they should be. The solution? Google has to do a better job of enforcing more stringent security measures, the researchers say.

But what about iOS? While the researchers focus on Android, it’s possible that iOS apps are also exposed to these same security holes. That’s because the issue is larger than the operating system: Any app using poor encryption is vulnerable to the same problems, regardless of the platform it’s on. That’s why the app approval process is so important.

[ Note: I've done a follow-up interview with Wickr. See that here. ]

I don’t know about you, but I’ve always wanted “secure, military-grade communications.” Not that I want to do anything mind-bogglingly stupid, Anthony Wiener-style, or that I’m planning the imminent violent overthrow of Western civilization.

I want it mainly just because it sounds cool.

That’s the promise of new iPhone app Wickr, which says that “the internet is forever, but your data doesn’t have to be.” The company’s slogan is “Leave No Trace.”

Well, never fear, because I’ve deleted the app from my phone. How’s that for no trace?

I was fairly excited at first: Totally secure, completely private, and I can erase my own emails on your device. I imagined setting an autodestruct for 10 seconds, sending a friend a 10-page treatise on the mating habits of Visayan warty pigs, and then laughing uncontrollably.

Juvenile, I know.

Robert Statica, co-founder

But that’s what the words “military grade” and “tactical” do to men: They make them stupid.

Wickr, of course, is made by seriously smart people. Security guru Dan Kaminsky served as an advisor to the team, Forbes tells us breathlessly. Cofounder Robert Statica is the director of the center for information protection at New Jersey Institute of Technology. He even has good reviews on RateMyProfessor, although his profile pic might be a little “The Silence of the Lambs” for some.

But there’s one small fly in this ointment of bursting intelligence.

The app only works if you’re sending email to people who already have a Wickr account. Which means that the first day you get this app, it is completely and utterly useless. To bring back an old network-effects example, it’s like having precisely one fax machine. Uno. Eins. Un.

I guess you could email yourself.

Wickr says the app is in use by many people in many different walks of life: “reporters, sources, senators, cops, freedom fighters, doctors, patients, lawyers, bankers, military, intel, boards, billionaires, celebs and college students.”

No email for you!

And I have no doubt that if I was a billionaire, I’d probably be able to force all my business associates, friends, and family to use whatever bloody email software I want, dammit.

But how on earth as a journalist can I ask my sources to not email me, not phone me, not Skype me, but instead have an iPhone, find an app, download it, create an account, connect with me, and then (and only then) communicate with me.

Not likely.

Of course, I may be completely wrong (and I know I can count on all of you tell me just how wrong I am, in the comments).

Nico Sell, one of Wickr’s cofounders, responded to my emailed request for more information about how, precisely, the company was going to get scale, go big, and make the app useful for the first-time user.

“You must invite your friends to make it useful. This is why it is viral. Remember, though, it is a free app that just takes a minute to set up with an easy invite feature.”

And maybe I’m all wet. Wickr seems to be doing something right. Sell continued, saying:

“We are already seeing a hockey stick growth curve. Wickr is currently the 16th most popular social app right after Google+ and before FourSquare and Bump! People are going crazy for Wickr.”

That is astonishing. My curmudgeonly take? It’s temporary — due to a major publicity push — and will not last. My bet is that people use email for too many things and too many people to switch just for a few private messages to one particular app — especially with no Android version (yet) and no desktop app.

Am I wrong?

Sell’s email, by the way, is still in my inbox. I think I’ll keep it there for a while…just as long as I want to.

For those who are interested, here’s a visual tour through Wickr, right from the start:

Image credit: Vault/ShutterStock

Design is determining the winners in everything mobile. The most successful players are focusing on one thing: How to make products, services, and devices as compelling and delightful as possible – visually, and experientially. MobileBeat 2012, July 10-11 in San Francisco , is assembling the most elite minds to debate how UI/UX is transforming every aspect of the mobile economy, and where the opportunities lie. Register here.

Simply browsing the web can open you up to a ton of malware or privacy risks. And let’s not even get started on the dangers of public Wi-Fi.

With 60 million downloads and more than 100 million monthly user sessions, AnchorFree’s Hotspot Shield has emerged as one of the easiest ways to protect yourself from dangers online. Today the company is announcing that it has raised a whopping $52 million third round led by Goldman Sachs.

“We’ve created the world’s most popular free VPN [virtual private network],” AnchorFree CEO David Gorodyansky said in an interview with VentureBeat. “We’ve created a VPN for the masses.”

Hotspot Shield works by routing your web traffic through its own secure datacenters. That makes your web browsing private (even AnchorFree can’t track your IP address when using the service), encrypted, and it also strips out and blocks malware sites. It’s like a condom for all those dirty public wireless networks we log into (because seriously, you don’t know where those routers’ DNS entries have been.)

With the availability of easy hacking tools like Firesheep, Hotspot Shield seems like an increasingly essential program for the average web surfer. It can also help citizens in places like China gain access to sites that their countries censor.

Gorodyansky tells me the company has three main goals with the funding: to hire many more people (especially engineers), build more data centers throughout the world, and open up its platforms so third parties can run their apps on AnchorFree’s servers. Hotspot Shield currently has more than 10 million monthly active users (who log in around 10 times a month), and Gorodyansky has set a goal of reaching 100 million active users, driving 1 billion secure sessions, as soon as possible.

The company has been profitable since 2009, Gorodyansky says, and its revenues have grown 100 percent just about every year since then. AnchorFree didn’t really need this massive infusion of funding to survive, but now the company can expand quickly to cement itself as the best way to secure your web browsing.

AnchorFree offers an ad-supported free version of Hotspot Shield, as well a premium version with added security for $30. The company currently scans over 2 billion pageviews a month, and it protects against more than 3.5 million malware threats. It look less than six months for the Hotspot Shield iOS app to reach 1 million users, and I’m told an Android app isn’t too far away.

Gorodyansky launched the company at 23, straight out of college in 2005, with his friend Eugene Malobrodsky (CTO). Mountain View, Calif.-based AnchorFree now has 35 employees, and with today’s funding it has raised a total of $63 million. Goldman Sachs will join AnchorFree’s existing investors and advisors, including Esther Dyson, former MCI CEO Bert Roberts, and former Huffington Post president Greg Coleman.

Photo via Shutterstock

Cyber-Ark protects important and sensitive data including passwords, financial records and top secret files. “Cyber-Ark has always been focused on solving sophisticated threats that enterprises are facing” Cyber-Ark CEO Udi Mokady told VentureBeat. The company helps protect its customers from four main security issues: security threats from malicious insiders, sophisticated outside attacks on sensitive data, compliance with government security regulations and cloud server file protection.

Cyber-Ark offers several product suites, ranging from complete company identity protection to file and server session protection. It offers several layers of protection with its security services including firewalls, secure networks and end-to-end encryption.

“With this latest round of funding we will focus on expanding globally. More than 40 percent of our revenue comes from outside of the US and we believe we can really expand to additional countries” said Mokady “There is going to be a big push on R&D, and we really want to expand the umbrella around our [security] solutions.”

With this new round of funding, Cyber-Ark plans to pursue global expansion for the company and fund research and development of new products. It also plans to build up its sales and marketing departments.

Since its founding in 1999, Cyber-Ark has grown to serve more than 1,000 customers worldwide, including Fortune 100 companies and eight of the top 10 global banks. The company is headquartered in Newton, Massachusetts and maintain offices in North America, Europe and Asia. Cyber-Ark has received $65 million in funding so far this year from Goldman Sachs, Jerusalem Venture Partners, Vertex Venture Capital and Cabaret-ArbaOne.

Briefcase photo via Shutterstock

Activision’s troubled gaming service, Call of Duty Elite, has been sending out password reminders to its users in plain text.

Activision either stores player passwords on its servers in plain text format, or in some retrievable version, which makes the information susceptible to hackers if they found their way into the servers, according to a Eurogamer report.

Activision has insisted in a statement that: “All Call of Duty Elite personal data, including passwords are saved and stored using encryption.” It went on to say that “Call of Duty Elite does not store any sensitive data in plain text. Currently, the only time passwords are sent in plain text is upon request from the registrant and only to the registered email address.”

Most companies avoid emailing passwords in plain text format, as it presents far more risks than sending a password change request. Robert Siciliano, chief executive of IDTheftSecurity.com explains “systems where the user’s email is used to send a password change request that requires the user to enter a new password is much more effective and secure than transmitting an unencrypted plain text password via email.”

Activision has now responded to this issue, and promised to stop sending out passwords in plain text format. It is currently altering and testing its password recovery procedure to ensure passwords are no longer delivered in plain text — thus making the process more secure.

Earlier this year, Sony found itself in extremely hot water when the Playstation Network was hacked. The incident allowed hackers to steal customer passwords and credit card details because the data was not properly encrypted. This resulted in a lengthy outage for the service, and prompted Sony to beef up its network security.

Call of Duty Elite hit more than one million paid subscribers in six days following its launch on Nov. 8, but the service struggled to cope with this initial demand. Activision is now reporting that Call of Duty Elite has been stabilized, and although there are plenty of fixes still to come, users are now able to access the service and engage with it.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

Russian security company Elcomsoft just demonstrated that it can decrypt the information stored on iOS devices, including devices using the 256-bit hardware encryption used in iOS 4′s data protection feature. That means iPhone 4, iPhone 3GS,  iPod touch (3rd generation or later) and all iPad models.

The iOS 4′s data protection feature encrypts all user data on the device including geolocation data,viewed Google maps and routes, web browsing history and call logs, pictures, email and SMS messages, etc. Nearly everything typed on an iOS device is cached.

To do the decryption, ElcomSoft’s researchers needed to get hold of various keys on the device. They developed a toolkit to extract these keys and also to guess the passcode using a brute-force method. Since passcodes are only 4 digits long, breaking them takes 20 to 40 minutes on an iPhone 4.

Elcomsoft is making the toolkit available to law enforcement, forensic and intelligence agencies and government organizations. So be careful where you leave your iPhone from now on.

Here’s how the process works:

A bit-to-bit snapshot of an iOS device’s file system is the starting point for a forensic analysis of the device. This is similar to making an image of a disk or dumping a CD or DVD into an ISO file. Elcomsoft captured this image of the device’s encrypted file system and then decrypted offline.

A unique device-specific iOS key is stored in the secure hardware. Encryption keys for individual files are derived from this unique device key. Certain files use a key derived from both the device key and the user’s passcode. This means that those files cannot be decrypted unless the device is unlocked by the user or you can get hold of the passcode.

ElcomSoft’s toolkit was used to extract various keys including the user passcode key and encryption keys from the device as well as guessing the passcode. The keys and passcode are then used to decrypt the encrypted bit-to-bit snapshot and reveal all the data on the device.

We’ll be exploring the most disruptive mobile trends at our fourth annual MobileBeat 2011 conference, on July 12-13 at the Palace Hotel in San Francisco. It will focus on the rise of 4G and how it delivers the promise of true mobile computing. We’re also accepting entries for our mobile startup competition at the show. MobileBeat is co-located with our GamesBeat 2011 conference this year. To register, click on this link. Sponsors can message us at sponsors@venturebeat.com.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Editor’s note: This discussion about enterprise and mobility is one of the five themes we will be focusing on at theVentureBeat Mobile Summit, on April 25-26. We’ve carefully invited the top executives in mobile to discuss the biggest challenges of the day, which, if solved, can lead to much faster growth in the industry. And at our enterprise session, we’ll have top executives around the table from a number of companies, including Verizon, AT&T, Cisco, Salesforce, Box.net, and more. (If you think you should be part of the discussion, you can apply for a ticket.)

Mobile devices are clearly the darlings of business users who are acquiring them in droves, often despite corporate restrictions on doing so. The trend has so much steam behind it that about 25 percent of organizations (and the number is increasing) are now supporting user selected non-corporate provided devices.

To be clear, not all devices are fully supported, nor have access to all of the back office apps available to users of corporate sanctioned devices. But its only a matter of time until this capability expands. And there is no doubt business users’ demands will increase.

But there is a real threat looming on the horizon as organizations expand use of these partially or completely unsecured devices. And the threat expands dramatically when tablets are employed instead of less capable smart phones. Consider the amount of data a 64GB tablet can contain. Think about the amount of personal data (e.g., name, address, credit card, health records that can be compromised, or corporate secrets that can leak out (e.g., business plans, sales figures, product strategies).

Now look at the potential cost of such data loss. Aside from the potential for huge regulatory fines and customer defections, corporate competitive positions can be compromised. The Ponemon Institute estimates it costs a company $258 to remediate each lost personally identifiable record. While some major and highly public data was lost in the past when laptops with 10s or 100s of thousands of exposed records vanished, is there any doubt that soon this amount of data will also be contained on corporate tablets making their way into the workforce with similar types of data?

So what needs to be done? Clearly data needs to be protected, but the best way to protect that data is transforming. In the past, data at rest on a device was encrypted to protect it from loss (Windows has this built-in and many third-party products exist). Clearly this is an important and necessary security practice.

But with a mingling of personal and corporate apps on the new smart devices, is this really the best way to protect data that could be exposed? No. Its too easy for me to copy the data from my corporate app which I just legally accessed over to my Gmail account and send it on to others. Or to copy it to an online app or cloud storage area once is decrypted and displayed. Encryption is not going away as it serves an important purpose (if the device is lost or stolen), but encryption alone is not sufficient.

There needs to be a better way.

One way to do this is to not allow any data to be resident on the device. The device simply becomes a “Glass Window” to the data which resides in a protected space somewhere else. In fact, although not all users may like it, this is the approach that RIM is taking with the PlayBook, where all data is resident on the BlackBerry device that is “Bridged” to it. But that doesn’t necessarily solve the issue of cutting and pasting data. For this we need another approach that controls what is done with the displayed data.

New security measures will actually identify such cutting and pasting and/or forwarding to non-approved apps and prevent it from happening. The user can view and interact with the information locally, but not move the data without approval. While this seems burdensome to many, it is a good compromise if you are worried that data on the device may find its way to the personal side of the user’s apps and/or off the device and expose corporate assets. Of course this requires a level of control not currently implemented on most devices (like iPhone or Android) but it will make its way there before long in my opinion (and RIM is moving this way as well). I predict in the next 1-2 years, all corporate enhanced devices will have this feature.

Finally, one more level of security needs to be implemented, but will take a bit longer to get integrated. That is a virtualized platform approach whereby the business and personal sides of the device are kept separate in “walled gardens” and the transfer of data between the barriers is highly restricted. These virtualized stacks require a fundamental revamping of the OS (much as it has in the current PC and Server space) by adding hypervisors and specialized hooks into the processors (much easier to do now that we are moving into multi-core processors like those prevalent in tablets and higher end smart phones from NVIDIA, Qualcomm, TI, Intel, etc.). Virtualization is already being demonstrated by VMWare and OK Labs among others, and its popularity will grow quickly.

Security is one of those subjects about which people have many strong feelings and debates. Some want it to be relatively lax and primarily user controlled. Others want the extreme lock-down capability inherent in the most advanced and dedicated solutions used by the likes of President Obama. But what is clear is that organizations have a vested interest (and financial obligation) to protected corporate assets, and users have a vested interest in expanding the number and role of mobile devices they employ. It will be up to technology to find a balance, and corporations to decide what kinds of security to implement.

What is sure is that this market is evolving rapidly driven by the myriad of devices being deployed, and companies will have to stay abreast of the changes for several years to come. And third-party security providers will have lots of challenges ahead.

Jack Gold is the founder and principal analyst at J.Gold Associates, based in Northborough, Mass. He covers the many aspects of business and consumer computing and emerging technologies. He submitted this story to VentureBeat as part of a series leading up to our Mobile Summit later this month.

As long as I’ve been involved in enterprise mobility, the overwhelming security focus has been on data encryption: Over-the-air encryption versus at rest encryption; DES versus Triple-DES versus AES; 128-bit AES versus 192-bit AES versus 256-bit AES. You get the picture.

And for the past several years, encryption was almost certainly the right focus area. I definitely wouldn’t argue that data encryption isn’t an important part of a well-designed mobile security architecture.

I’m just not sure mobile data encryption matters -– at least on its own -– nearly as much as it once did.

Why? Because encryption, as a preventive measure, assumes the primary threat is coming from the “outside” – typically (but not exclusively), in the form of a hacker trying to intercept communications or extract data from a lost or stolen device. While such threats are real and you absolutely must guard against them, we’ve reached a crucial point in the evolution of mobile technology, and just as importantly, user behavior where the primary mobile security threat is no longer the faceless and malicious hacker, but instead the legitimate, fully authenticated owner of the device itself.

If this sounds surprising or controversial – it shouldn’t. In the “there’s an app for that” world we now live in, the greatest threat comes from the 100 percent well-intentioned end-user who is simply trying to be more productive and get more work done, more quickly. Not the hacker. Not the device thief. Not the disgruntled employee or ex-employee who purposely steals data or maliciously creates a security exposure.

Why? Because when faced with a productivity challenge, today’s mobile device users are much more likely to proactively search for – and also successfully find–their own solutions, with or without IT’s participation and blessing. This is especially true for the ultra-tech-savvy Generation Y that’s entering the workforce.

Real examples of the sorts of mobile productivity solutions that users finding and adopting on their own in huge numbers (to list just a very few) include Box.Net, Dropbox, Evernote, and GoodReader.

These are all great mobile productivity apps that solve real problems for their users. Unfortunately, from an IT security and compliance perspective, they also share another common trait:  they’re explicitly designed to replicate and share data with other apps, services, and/or users. This doesn’t mean these apps are “bad”.  On the contrary, their productivity benefits often directly or indirectly derive from the fact that they enable such sharing and replication.

However, this doesn’t change the fact that they represent very real data loss and compliance risks. And, unlike the “lost device” scenario, this type of exposure is much more difficult to protect against and almost virtually guaranteed to occur. If you don’t think so, just check the “top 25” list of Business and Productivity apps on your favorite application market place. It’s already happening.

It’s this relatively new category of risk – created by the well-intentioned user, not the faceless hacker – that will define how mobile security evolves from its traditional and relatively narrow focus on encryption and “lost device” scenarios to a much more comprehensive and holistic approach to data loss prevention. And that’s why encryption still matters – but maybe not as much, on its own, as it did a few years ago.

John Herrema is the senior vice president of Corporate Strategy at Good Technology. He submitted this story to VentureBeat as part of a series leading up to our Mobile Summit later this month.