When it comes to mobile devices, IT security practitioners prefer employees use a BlackBerry because it's easier to control the data users share on them than, say, an Android or iPhone. But as consumer-based devices like the Apple brands get more sophisticated with each release, it's getting harder to keep them out of the workplace. Proliferation of the iPad has only heightened enterprise hunger.
For some IT shops, it's not that big a deal. Others are more reluctant. What follows are just a few of the concerns CSO has heard from industry experts, and what -- if anything -- can be done to improve the security controls.
Steve Green, former information security program manager at Sun Microsystems
I think it is difficult to prevent the use of an iPhone in many businesses, particularly those that allow, for example, access to e-mail via the Internet. Just like end users will sometimes try to throw up a wireless router in their office without really thinking what IT security thinks about it, they will use their iPhones and other mobile devices without considering whether it's secure. The Blackberry has been much better known for its security although it is far from perfect. I just think it was targeted more at businesses to begin with where the iPhone was clearly targeted at consumers.
But the iPhone does seem to be getting better.
While I think there are some organizations that should be more cautious (military, finance), I think many companies are better off trying to educate users how to configure their mobile devices to be more secure by using secure connections, a PIN, etc. [than trying to ban them].
Ivan Tirado, support engineer at Stonesoft
I think it's more a case of using the right tool for the right job. If your organization has determined that the iphone and/or ipad are the best devices to get the job done, then you as a security professional within that organization should take the necessary steps to make sure the devices are used in a secure manner. The initial filtering should be done by the functionality and business reasons, and then you should go into a security evaluation and recommendations. To do otherwise, subordinates business need to "security" and is (in my estimation) a "backwards" way of going about things.
I think that a bigger issue with the iPhone and iPad, at least in the US, is the service provider lock-in. Having only AT&T as a service provider can be a much bigger hurdle to overcome from an enterprise standpoint, unless your service provider happens to be AT&T and you don't want/need choices.
Pete Hillier, CISO at CMA Holdings, a subsidiary of the Canadian Medical Association
A security analysis in August 2009 revealed the following security issues with the software current at that time:
- Passcode and encrypted backup password can be bypassed in about 30 seconds, allowing someone with malicious intent to backup a copy of the iPhone
- Inadequate hardware encryption that encrypts hardware on the disk, but automatically decrypts the content for all access
- No reliable central policy enforcement
- Exchange ActiveSync is one option, but can be ignored when not connected via WebDev to an E-mail infrastructure
- The second option is mobile configuration profiles, but only a limited set of configuration options can be controlled through these profiles
- No ability to do over-the-air wireless software updates in the event of a major security issue.
- All updates are through iTunes while tethered to a computer
- All applications run as root with default password and admin privileges
These flaws allow a hacker to gain access to the raw content of the compromised iPhone drive, exposing local data, including call history and SMS messages, e-mail and voicemail, contacts and calendar events, keyboard cache history (including passwords when typed), photos, web browsing history, and so on.
One of my immediate concerns is the prolific distribution of iPhones/iPads within eHealth initiatives (both sides of our shared border). Without some extremely close attention paid to security around this critical infrastructure sector, we can definitely be assured that some huge data losses will result.
Jeremy Licata, Baltimore-based security project manager
As with any device that is being considered for use, review the risks. The various flavors have long been accepted as "more secure" on account of its UNIX base code. But as Apple gains market share, there are more in-depth reviews of the code and more vulnerabilities being discovered. Also, knowing that AT&T is changing their data plan pricing, what price point is the organization willing to accept given the unknowns about user data usage?
Personally, I refuse to join the iPod/iPad bandwagon right now -- BlackHat, DefCon, and the FBI have shown just how unsecure those devices are. To expose not only personal information, but business information, to that level of risk is just not acceptable to me.
Glen Geen, Dallas-based IT security administrator
One way to help mitigate data loss due to use of smartphones is to implement a mobile device management (MDM) solution. There are several out there. Some that I reviewed recently are www.Good.com, www.tangoe.com, and www.mobileiron.com. There are other solutions out there and we review a couple of others which I cannot remember. The first thing you need to do is define your requirements. Some of these solutions are just delivery management tools while other provide data security. The three listed here provide at least some level of security.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.