Our organization made a big “I wish we could take it back!” move recently when it purchased a number of HP netbooks with webOS (at a volume discount!) for some of our highly mobile user groups (sales, international, etc.). MIS (and by extension information security) wasn’t thrilled with having to support them in the first place, but with webOS discontinued, is there a good security-related case for us to convince our decision makers to stop the rollout?
First, some background: WebOS is a mobile operating system based on a Linux kernel and was initially developed by Palm in 2009. Hewlett-Packard Co. took over webOS when it acquired Palm in 2010. In August 2011, HP announced that webOS device development would be halted and it would discontinue production of all webOS-related hardware devices. Its fate appeared uncertain until early December, when HP announced it would release webOS as an open source project, making its code freely available to developers. It's unclear what effect this will have on the platform's future, but let's examine its current security posture.
WebOS’ security features include secure communications over Wi-Fi, cellular data networks and Bluetooth, power-on authentication to protect stored data, and sandboxing so each application runs in its own environment to prevent data from unauthorized access by another application. It also has remote data wipe functionality. However, like all browser-based software, webOS has some serious flaws. Furthermore, its critics feel the architecture is flawed, and time-to-market pressures during its development have meant security was never a priority.
Security has to be an enabler, so if your mobile user groups helped to choose these notebooks because they provided the best experience for their environment, then your first task should be to see how you can incorporate them into your network while providing the level of security required by your security policies and regulatory environment.
To be clear, you cannot process or store sensitive data on an operating system that is no longer officially supported by its manufacturer. Although HP has announced it will continue to issue updates for the Veer and HP TouchPad, the company is experiencing major internal changes, and it's unclear how much support an open source webOS will receive from the company. Complicating matters further is that with the commercial version of webOS discontinued, the original risk assessment you completed prior to rolling out these netbooks is now out of date (due to HP’s decision to discontinue it). A revised assessment will give you hard evidence that the HP netbook rollout has to be stopped in order to avoid the risks associated with running an unsupported or end-of-life operating system. Your arguments will need to be put diplomatically as to avoid those that were in favor of the rollout as seeing your recommendation as being driven by ill feeling. Emphasize that your recommendation is one based on an analysis of the changed security risks created by HP’s decision and not personal preference.
This was first published in December 2011