Firstly, I wanted to mention that we won’t be making any announcements or disclosing any new features for upcoming releases of Windows Embedded Handheld here. Thank goodness, there are other folks charged with that job. I would like to focus on Windows Embedded Handheld 6.5, for now.
Enterprise mobility and connectivity to backend systems are interdependent in my view. So I thought I’d focus on this for a little while and sort of gently remind folks out there of the features that have gone into Windows Embedded Handheld 6.5, based on Windows Mobile 6.5, coupled with our partner’s great hardware make it purpose built for Enterprise mobile line of business applications.
One major aspect of connecting mobile devices to back end systems is ensuring the data being transmitted to and/or stored locally on the device is secure. With Windows Embedded Handheld there are a few options built-in for getting the job done.
Mobile Encryption secures data files stored on removable flash cards. The end user can turn on this feature through the Encryption control panel applet or can be activated by Group Policy settings, and of course also the ability to not allow the user to change the setting.
There is flexibility in the encryption algorithm used also. The default is AES 128 and can be switch to RC4. For more detail see this MSDN topic for Mobile Encryption.
Device encryption allows certain data files stored on the device to be encrypted like emails, email attachments, calendar, contacts and user documents therefore protecting them when the O/S is offline. This is done by setting up through Group Policy settings. (A side note, Group Policy settings are another example of how Windows Embedded Handheld is a real enterprise class operating system. Windows Embedded Handheld can be configured similarly to a PC via Group Policy settings distributed from a Windows Server, but that’s whole other post.) Then boot up is suspended waiting for the user to enter in their PIN correctly for boot up to continue.
This way services and applications are abstracted out of the encryption/decryption process. Then of course, some applications may need some help dealing with availability of decrypted data, so there are a couple options to either wait on an event until the data is available or delay its start-up if it’s a service. There is more info on MSDN for Device Encryption.
There are good 3rd party solutions available for data encryption and device protection for Windows Embedded Handheld 6.5, based on Windows Mobile 6.5. (up to WM 6.5.3). An example is a solution from Digital Defence called Secure Mobile, which uniquely encrypts and decrypts each file at bit level without impacting device performance. Keys are dynamically generated and are unique to each file and folder. Secure Mobile also includes comprehensive White Listing functionality, which dictates what applications have access to encrypted files and also manages access to connections and ports.
In addition to the file system protecting important data, developers can add data protection directly to their applications. Windows Embedded Handheld 6.5 CryptoAPI supports both symmetric key and public key encryption. (I love the analogies of receiving the key and the locked briefcase separately or sending the unlocked briefcase to receive the package and keeping the key...but I digress). There are APIs to generate keys, encrypt and decrypt data for storing locally and/or transmitting to connected backend or cloud services. There is more info on MSDN for the Crypto API.
Again, I think it’s important when you are thinking about a mobile line of business application to consider the on-premise enterprise connectivity and security requirements, if you haven’t already of course. What data security requirements have you seen in the enterprise?