Using Exchange for E-Mail and Smartphone Security
During the past few years there have been changes in the types of clients and their functions in the enterprise. Early on, the enterprise purchased smartphones to provide e-mail for selected staff especially management and specific device roll outs focused on their staff’s ability to perform a critical job function. Lately, there has been more and more pressure for the enterprise to allow end users to access their e-mail via their Smartphone. I believe that this pressure has been due to the users realizing the features and functions that the Smartphone offers and applying them to their jobs. Also, these users are able to select the Smartphone of their choice and use it for personal as well as enterprise use.
Now, more and more companies are using Exchange to allow their employees to access their e-mail remotely. This is done using Exchange ActiveSync and originally it was only available for use with Windows Mobile Smartphones and Pocket PCs.
Using Exchange to Sync E-Mail and Manage Smartphone Security
Now there are multiple Smartphone clients that use Exchange ActiveSync to sync e-mail, calendar contacts and tasks. These clients go beyond Windows Mobile and they include the iPhone, Palm Pre, Android, Palm OS and Symbian. These clients do not support the same level of device management.
Clearly Windows Mobile offers the most comprehensive device configuration, device security, and application deployment capabilities with Exchange ActiveSync that Exchange 2007 SP1 implements if you have the Standard + Enterprise Client CAL. However the level of device configuration, application deployment and device security functionality has lagged behind in the rest of the smartphone Exchange ActiveSync implementations. Usually the OEMs have decided to just focus on security with their Exchange ActiveSync implementation, in particular, the requirement to have a password with length and complexity options, and device wiping are the common security features across all platforms.
Is This Enough Security?
For some companies, Exchange has become the “de facto” default for accessing e-mail and securing Smartphones. The big question is, “Does the Smartphone’s security capabilities offer enough security with Exchange?” In the enterprise, the level of controls that are implemented by the OEMs does not meet the same standards as a laptop or desktop PC (in security parlance, endpoints). Most enterprises control the installation and distribution of applications on their PCs, require encryption of all data stored on laptops, and control what websites users can access. However with smartphones and Exchange generally, these controls do not exist. Only Windows Mobile with the Exchange Standard and Enterprise CAL can deploy applications and enforce encryption of internal storage and removeable storage.
Even the iPhone has had an issue with the capabilities it reports to Exchange. Devices prior to the iPhone 3GS reported that the data stored on the devices was encrypted. With the iPhone 3GS, Apple implemented hardware encryption and now report this correctly. Clearly the enterprise expects that OEMs will report their device’s features correctly in order to ensure that their controls are effectively implemented.
Exchange Goes Beyond E-Mail
Also, Windows Mobile supports the use of Exchange 2007 to access SharePoint and network shares (using CIFS or UNC paths). However none of the other Smartphone OEMs have implemented this feature.
While implementing security with Exchange may be enticingly easy, it does not go far enough. The enterprise needs to manage security on smartphones are at the same level they do for their desktops and laptops. The enterprise should push OEMs to implement more of the features of Exchange ActiveSync or consider a 3rd party device management and security solution.