iPhone not ready for the enterprise

By Robert Westervelt, News Editor 28 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The iPhone lacks encryption, robust central management capabilities and the ability to integrate with localized infrastructure making it an unlikely choice for most businesses, according to analysts at Midvale, Utah-based research firm, the Burton Group.

I would love it if our organization ran the iPhone for a standard device but there's just enough missing pieces that it doesn't make sense for us at this point. Richard Monson-Haefel, senior analyst, Burton Group

In an online panel discussion, the analysts said the device is suitable for consumers to access email, browse the Web and access Web-based, Ajax-enabled applications. But cheaper devices that mimic many of the iPhone's features may win out in the enterprise marketplace of the future.

"The iPhone is unquestionably cool, but the Mac has always been cool," said Jamie Lewis, CEO and research chair of the Burton Group. "It's clear that the lines between work and life and the devices you use in the different roles that you have will continue to blur."

The iPhone was released in June and since then security researchers have been clamoring to crack the smartphone's security features. Since then, flaws were discovered in the Safari browser, used by the iPhone. In July, a team of security pros at Baltimore-based Independent Security Evaluators discovered simple ways of taking complete control of the Apple iPhone. Other security experts said that iPhone popularity could increase mobile phone attacks.

From a security perspective, the iPhone's lack of a centralized management capability – it currently relies on the iTunes interface for user management – takes the control of patching and configuration updates out of the hands of enterprise IT pros. Users can download security updates from a site provided by Apple.

"There's no way to force a patch or configuration change from a central place," said Diana Kelley, vice president and service director at the Burton Group.

Apple iPhone: iPhone crack discovered by security researchers: Researchers have found a way to take complete control of the Apple iPhone by sending a user to a malicious Web site. Apple iPhone to provoke complex mobile attacks, expert warns: Mikko Hypponen, director of antivirus research at F-Secure Corp., said he expects mobile malware attacks to escalate thanks to interest in Apple's iPhone. Apple releases fixes for Mac OS X, iPhone vulnerabilities: Apple has released software patches fixing critical vulnerabilities in Mac OS X and its newly released iPhone.

Kelley said that the lack of centralized control coupled with the iPhone's lack of encryption makes it an unlikely choice for security-conscious enterprises, such as organizations in the government, healthcare, and financial markets. While Apple makes it difficult to store files on the iPhone, new software called the iPhone Drive is available, and indications are that storage could be made available in the future, making encryption even more important for the device, Kelley said.

"There are a lot of issues with data leakage and organizations are saying 'we don't want files being carried on a small device that we can't control,'" she said.

Many enterprises have been trying to address issues related to data leakage in the wake of many high profile data breaches and stolen laptops containing sensitive information. Some IT shops are deploying file encryption on laptops and even full disk encryption to address the issue, Kelley said.

Still, some analysts believe the iPhone's limited features could be ideal for many enterprises. Since the phone lacks the ability to store enterprise data via cut and paste and download features, the device currently doesn't need encryption, said Bob Blakley, a principal analyst at the Burton Group.

The iPhone also lacks the ability to enable a user to store local applications. This could benefit enterprises since end-users could connect to Ajax-based Web applications, keeping sensitive data stored on local servers, Blakley said.

"Any Ajax application that an enterprise chooses to develop is going to be able to present rich information density and interactions dialogue with the user," he said.

Blakley admitted that future software updates, driven by consumers, could make the iPhone more prone to data leakage.

Still, Burton Group senior analyst, Richard Monson-Haefel, an iPhone user, said he is hesitant to recommend use of the iPhone by most enterprises. The need to store resident applications is important in some job roles, he said, including field technicians and service professionals. Even with a fast Internet connection, downloading schematics and other large amounts of data could be burdensome, he said.

"Technicians working in the field may need a massive amount of data … and can't afford to spend time downloading without a fast pipeline," he said. "I would love it if our organization ran the iPhone for a standard device but there's just enough missing pieces that it doesn't make sense for us at this point."

Tags: Handheld and Mobile Device Security Best Practices,  Identity Theft and Data Security Breaches,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Handheld and Mobile Device Security Best Practices Research Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Web Server Threats and Countermeasures Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? How does a Web server model differ from an application server model?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary