Can Apple iOS devices gain confidence of IT security pros?

There's great enthusiasm for using iPhones and iPads in the workplace, but experts say Apple's limited transparency about security issues can make enterprise adoption problematic.

IBM's Chief Information Officer Jeanette Horan recently struck a nerve when she said Big Blue regards Siri on employee iPhones a sensitive security issue and disables it because the voice interactions are uploaded to Apple computers in the cloud.

RELATED: With Steve Jobs gone, Tim Cook is putting his own stamp on Apple

Already, there had been suspicion as well as curiosity about what Apple might be doing in the background with Siri. Apple does briefly note in its legal licensing terms it will do this Siri uploading. But despite calls for more information about how Apple stores and analyzes the voice data it may be collecting this way, Apple hasn't offered any explanation, which only heightens the ill ease for some.

It's not surprising that Apple needs to process human speech and complex speech responses in the cloud, says Chris Eng, vice president of research at Veracode. "It takes computational power," he says. "The phone may not have the power to do that."

But what he finds troubling is that so little is known about what Apple might be doing with the Siri-based voice data it collects. "Are they warehousing it? If I'm making an effort to purge information, I'm probably going to come out and say that this isn't being stored. They should come out and say it isn't being stored."

But since Apple hasn't shown an inclination to discuss this in depth, despite repeated inquiries from Network World and others, there's no way to understand what's going on in that Apple cloud.

"You can see why IBM is concerned," Eng says.

"Siri is more of a novelty now, an infant technology," says Daniel Ford, chief security officer at Sterling, Va.-based mobile risk management vendor Fixmo. "It's gathering data about you, digitizing it, and sending it to Apple's cloud." He said he thinks Apple doesn't share the information with anyone else, but he acknowledges, "We don't know how Apple is parsing it." He says it's not surprising enterprises would want to turn it off.

"Siri scares the hell out of me, to be honest," says Paul Henry, security and forensic analyst at Lumension, adding that Apple has provided no explanation about what it's mining the Siri data for, if anything. He points out Apple has incited privacy and security concerns before, when it was recognized that Apple was sending location data back to Apple, purportedly to use for targeted ads.

Apple is going to find it hard to win the confidence of the enterprise security manager without addressing Siri, Henry says. Google and Microsoft, as well as VMware, have all been better than Apple in disclosures related to security in their products. But Apple, which is consumer-focused, hasn't yet reached the level of response that IT security managers traditionally expect, he notes.

But Henry also notes that Apple shows definite signs of change in wanting to be more responsive about security in order to have its Apple iOS smartphones and tablets adopted in the enterprise and government sectors where strict security and detailed technical understanding may be demanded.

For one thing, Apple quietly in the last week or so released "iOS Security, May 2012" that for the first time puts into a simple document an explanation about security in iOS devices, says Henry. He notes it's not as though no one knew anything about them at all before, with the research community probing Apple mobile devices for years, but the new document represents Apple's attempt to finally formally explain to the enterprise what's going on under the covers.

The Apple "iOS Security, May 2012" document is a simple technical explanation of how file-data protection, encryption, passcode system, certificate-signing process, secure boot chain, VPN use, network security, Wi-Fi and device access are all intended to function securely. Many are certain to want to hear more.

In addition, Apple in the past few months worked with the Australian government's Department of Defence to issue a guide for hardening iOS devices, Henry points out. "This all clearly shows that Apple is trying to embrace the enterprise system," he concludes, though many will still question if the iPhone and iPad are enterprise-ready at this point. He adds he does like Apple's basic security model, though, which works to prevent unauthorized apps from devices, much like a whitelisting function.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place