iPhones, iPads in the enterprise: 5 security views

A concern is the prolific distribution of iPhones/iPads within eHealth initiatives

When it comes to mobile devices, IT security practitioners prefer employees use a BlackBerry because it's easier to control the data users share on them than, say, an Android or iPhone. But as consumer-based devices like the Apple brands get more sophisticated with each release, it's getting harder to keep them out of the workplace. Proliferation of the iPad has only heightened enterprise hunger.

For some IT shops, it's not that big a deal. Others are more reluctant. What follows are just a few of the concerns CSO has heard from industry experts, and what -- if anything -- can be done to improve the security controls.

Also see Mobile phone security dos and don'ts

Steve Green, former information security program manager at Sun Microsystems

I think it is difficult to prevent the use of an iPhone in many businesses, particularly those that allow, for example, access to e-mail via the Internet. Just like end users will sometimes try to throw up a wireless router in their office without really thinking what IT security thinks about it, they will use their iPhones and other mobile devices without considering whether it's secure. The Blackberry has been much better known for its security although it is far from perfect. I just think it was targeted more at businesses to begin with where the iPhone was clearly targeted at consumers.

But the iPhone does seem to be getting better.

While I think there are some organizations that should be more cautious (military, finance), I think many companies are better off trying to educate users how to configure their mobile devices to be more secure by using secure connections, a PIN, etc. [than trying to ban them].

Ivan Tirado, support engineer at Stonesoft

I think it's more a case of using the right tool for the right job. If your organization has determined that the iphone and/or ipad are the best devices to get the job done, then you as a security professional within that organization should take the necessary steps to make sure the devices are used in a secure manner. The initial filtering should be done by the functionality and business reasons, and then you should go into a security evaluation and recommendations. To do otherwise, subordinates business need to "security" and is (in my estimation) a "backwards" way of going about things.

I think that a bigger issue with the iPhone and iPad, at least in the US, is the service provider lock-in. Having only AT&T as a service provider can be a much bigger hurdle to overcome from an enterprise standpoint, unless your service provider happens to be AT&T and you don't want/need choices.

Pete Hillier, CISO at CMA Holdings, a subsidiary of the Canadian Medical Association

A security analysis in August 2009 revealed the following security issues with the software current at that time:

  • Passcode and encrypted backup password can be bypassed in about 30 seconds, allowing someone with malicious intent to backup a copy of the iPhone
  • Inadequate hardware encryption that encrypts hardware on the disk, but automatically decrypts the content for all access
  • No reliable central policy enforcement
  • Exchange ActiveSync is one option, but can be ignored when not connected via WebDev to an E-mail infrastructure
  • The second option is mobile configuration profiles, but only a limited set of configuration options can be controlled through these profiles
  • No ability to do over-the-air wireless software updates in the event of a major security issue.
  • All updates are through iTunes while tethered to a computer
  • All applications run as root with default password and admin privileges

These flaws allow a hacker to gain access to the raw content of the compromised iPhone drive, exposing local data, including call history and SMS messages, e-mail and voicemail, contacts and calendar events, keyboard cache history (including passwords when typed), photos, web browsing history, and so on.

One of my immediate concerns is the prolific distribution of iPhones/iPads within eHealth initiatives (both sides of our shared border). Without some extremely close attention paid to security around this critical infrastructure sector, we can definitely be assured that some huge data losses will result.

Jeremy Licata, Baltimore-based security project manager

As with any device that is being considered for use, review the risks. The various flavors have long been accepted as "more secure" on account of its UNIX base code. But as Apple gains market share, there are more in-depth reviews of the code and more vulnerabilities being discovered. Also, knowing that AT&T is changing their data plan pricing, what price point is the organization willing to accept given the unknowns about user data usage?

Personally, I refuse to join the iPod/iPad bandwagon right now -- BlackHat, DefCon, and the FBI have shown just how unsecure those devices are. To expose not only personal information, but business information, to that level of risk is just not acceptable to me.

Glen Geen, Dallas-based IT security administrator

One way to help mitigate data loss due to use of smartphones is to implement a mobile device management (MDM) solution. There are several out there. Some that I reviewed recently are www.Good.com, www.tangoe.com, and www.mobileiron.com. There are other solutions out there and we review a couple of others which I cannot remember. The first thing you need to do is define your requirements. Some of these solutions are just delivery management tools while other provide data security. The three listed here provide at least some level of security.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsiPhonePhonesData Protection | WirelessiPadBlackberryipodAppleconsumer electronicssecuritymobile device securitymobile securitysmartphonessoftwaredata protection

More about AppleAT&TAT&TBaltimoreBlackBerryFBIISOStonesoftSun MicrosystemsWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place