iPad enterprise invasion and security risks

IT organisations have come to a stunning realisation: There is no stopping the great iPad enterprise invasion.

IT organisations have come to a stunning realisation: There is no stopping the great iPad enterprise invasion. Risks abound as companies must deal with securing iPad apps without much help from Apple, says Julie Palen, senior VP of mobile device management at Tangoe, a telecom expense management software and services provider.

Palen's group develops software that helps companies such as Wells Fargo and Coca-Cola manage BlackBerries, iPhones, Android devices and iPads-any devices connecting to a company's back-end computing environment via Active Sync, BES and Good Mobile Messaging.

The iPad, in particular, has had a rapid rise in enterprise adoption. More than 65 per cent of Fortune 500 companies are deploying or piloting the iPad, Apple said during its most recent earnings call. Around 60 per cent of Tangoe's new business deals in the last quarter involve companies that have already deployed iPads or are planning to do so.

But the iPad isn't really enterprise ready, in terms of manageability and security, says Palen, a 10-year veteran of mobile device management. She says IT organisations are buckling under pressure to support the iPad, even though the iPad wouldn't have passed last year's enterprise security requirements.

CIO.com talked with Palen about the iPad's unique path to the enterprise and the resulting security questions.

Julie Palen, senior VP at Tangoe

What are some cool iPad projects?

Palen: We're seeing a lot of companies in retail, medical and automotive putting business apps on iPads. iPads are a slick, cool way of interacting with the customer, and companies can leverage the iPad's cool factor in the buying experience One cosmetic company is using iPads as point-of-sale devices in their retail stores in malls. The iPad shows complementary products that go well with a customer's selection.

Similarly, on the automotive side, one of our customers is putting iPads into the hands of their sales reps out on the lots. The iPads show features that can be added to a specific car. A sales rep can do searches for the customer right on the spot. For instance, one of their other dealerships might have the specific car that the customer is looking for. If the customer has an iPad or iPhone, they can receive a notification when their car is ready, pay the bill online, and drive off with the car without having to deal with all of the paperwork.

Aren't iPads difficult to manage and secure?

Palen: We automate the provisioning process of how the iPad connects to your back end data. We provide insight into that device: the OS, available memory, what apps are on it. The fact that I can push out apps to the iPad but can't remove them is problematic for the enterprise. You have to either lock down iPads by restricting apps on the device to only those that you push-nothing from the App Store-or wipe devices.

On the other hand, unlike Android, iOS apps have to go through Apple's certification process. So there is a level of security that apps aren't going to create a whole bunch of issues on the devices or in the environment. That's a big, big issue we see on the Android side.

Sounds dangerous. What is the worst case scenario?

Palen: The worst case scenario involves apps that are truly a Trojan Horse that slips through the cracks and becomes available on an iPhone or iPad that is connecting to back-end data, and then wreaks havoc on an enterprise by capturing keystrokes or credit card information.

But nobody is looking at this blindly. People are taking precautions to protect their data. And I believe Apple will provide more enterprise management capabilities in future releases.

Why isn't this stifling iPad enterprise adoption?

Palen: With the iPad, IT organisations are folding under pressure. They had taken such a hard stance with security, and now they're allowing iPads that really wouldn't have met their requirements 12 months ago. There's so much demand. They also see so many efficiencies that can be brought to bear [by the iPad] that they're willing to deal with the risks.

What are the workarounds?

Palen: You're probably not going to wipe an executive's iPad. But one of the things that we do is integrate with Active Directory so that we know exactly who someone is in the organisation. You can actually set up rules so that you could manage executives one way and other people a different way. You can also differentiate between a corporate device and an individually owned device.

We could do some things around VPN connections and not having apps residing on the device. Or we can have an icon that doesn't have data residing on the device. We can control the iPad from a data perspective rather than the app itself. There are workarounds.

Apple has tiptoed around the enterprise for years. What's it going to take to force Apple's hand?

Palen: When Apple starts to see large volumes of iPads selling into the enterprise, and these iPads are locked down and users won't be able to buy additional apps, that's when Apple will start making it available for me to manage these apps.

Tom Kaneshige covers Apple and Networking for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline. Email Tom at tkaneshige@cio.com.

Read more about consumer in CIO's Consumer Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags managementAppleApplications | ConsumerapplicationsNetworkingsecuritysoftwareiPad

More about AppleWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place