iOS devices at work…are they secure enough??
In previous posts, we mentioned security as one of the reasons Research in Motion (RIM) has enjoyed such a long stay in the corporate suite. Ask the average, somewhat-computer-savvy consumer what they think about iOS devices and security and they’ll likely have no opinion on the matter or will acknowledge “having heard” they are not as secure as other products. This latter perception has undeniably hindered Apple’s uptake by business traditionally. Is this perception valid however? Are iOS devices secure enough for corporate use? The answer depends on the circumstance, the level of protection needed. Ponder this. Banking is definitely one of the more security-conscious industries. The protection of customer finances is paramount. And yet there’s not a major bank that does not have an iPhone App for customers to review account details, transfer funds and pay bills. Banks have assessed the iPhone security features and have determined they are ‘fit for purpose’. Another high-security industry is Healthcare, where protection of patient information is critical. Healthcare officials appear to have come to same conclusion as the Banks. Medical iPhone and iPad Apps including full electronic medical record (EMR) Apps such as that developed for the Ottawa General Hospital are sprouting almost daily.
The first thing these security conscious industries recognize is that security goes much beyond the device and App(s) themselves. Security begins with company policies and practices that define the behaviour that employees, customers, partners and suppliers will elicit in protecting company information. Without relevant security policies and effective management practices to enforce those policies, no device or App, regardless of its inherent technical security capabilities, will be as effective at keeping threats at bay. Authentication policies requiring customers to have registered, active user IDs and passwords in order to use Apps is one example. Policies around minimum password length and maximum login attempts are another, as are inactivity timeout policies. Who gets access to what Apps and what information needs to be defined. What to do if ever a device is lost or stolen, e.g. who to alert, needs to be documented and communicated. These types of policies need to be agreed and in place irrespective of the mobile device and App being used. There then needs to be strong processes, or practices, established to enforce those policies. Such as conducting regular risk or threat assessments and acting upon the findings. Or responding to a lost mobile device situation and remote-wiping any locally stored data. Or issuing devices to employees and ensuring the configuration profile on those devices match the employee profile based upon their role within the organization. Without effective management practices, policies are simply words on a piece of paper (assuming they’re documented at all!).
How well do iOS devices support common security policies and practices? The answer used to be “not that well” but that’s rapidly changing. Apples iOS 4 introduced huge advances in security as did the iPhone 3GS hardware. For the first time, a robust combination of device, data, network and platform protection was possible. Long sought after features are now available such as over-the-air password enforcement and support for Microsoft Exchange ActiveSync passcode policies including password expiration, password history and password refresh interval. Creating signed and/or encrypted device configuration profiles, restricting and/or enabling VPN configuration information, managing WIFI settings and e-mail, calendar and contact accounts and enabling enterprise authentication credentials can be accomplished entirely remotely. Restricting access to certain Apps or features such as Safari, YouTube and the camera or disallowing the ability to download Apps is also possible.
For data protection, hardware-based encryption using AES 256 bit encoding is supported as is the ability to encrypt data backed up to a computer through iTunes. App developers now have access to APIs to include custom-developed or third-party encryption routines in their code. And if an iOS device is lost or stolen, any locally stored data can be remotely wiped using third-party mobile device management (MDM) solutions including Microsoft’s Exchange Management Console (or Exchange ActiveSync Mobile Administration Web Tool for older installations of Exchange). Local wipe is also possible for multiple passcode failed attempts. And the number of failed attempts can be remotely changed at anytime through any number of MDM tools available in the market (more on these tools in a post to come).
In the summer of 2010, Forrester published a paper debating the suitability of iOS devices in the workplace from a security perspective. They concluded that “with the right policies and technical controls, you can operate Apple mobile devices at least as securely as the typical corporate laptop”. They went on to categorize organizations into “high-water mark” levels, e.g. those in need of basic security policies (protection every organization should have in place), those needing some form of higher assurance (for regulated industries or risk averse firms) and finally those needing a large number of higher assurance options. Despite its conclusion that Apple iOS devices “are secure enough for most enterprises”, it does diligently point out that there are a number of security features still missing from iOS devices including support for smartcard authentication, support for client e-mail end-to-end encryption (S/MIME or PGP) and logging of SMS. And then there’s the overshadowing and very real risk of how easy it can be to ‘jailbreak’ iOS devices as recently demonstrated by the Fraunhofer Institute in Germany. Because of these remaining shortcomings, Forrester states “high-security [and risk averse] enterprises will [choose to] stick with Blackberry”.
Most organizations, however, are finding iOS devices perfectly suitable from a security perspective particularly if complimented by a robust set of security policies and practices.