It doesn't matter whether you treat the iPad as an oversized smartphone or a netbook; you need an acceptable usage policy.
The iPad, like the iPhone, is rapidly becoming many enterprise employees’ tool of choice, but the dramatic increase in the number of Apple devices in circulation means they are becoming an increasingly popular target for hackers, thus increasing iPad security concerns among IT security pros.
So, what's the best approach for enterprises to satisfy the demand for iPad access within the confines of the enterprise? Or should they simply be banned outright? That’s what we’ll discuss in this tip.
To set the context for the discussion, enterprises should establish a clear policy for allowing iPad access to the corporate network. Any enterprise-owned iPad should obviously be deployed with security measures already in place, many of which are discussed below, but employee-owned devices should not be granted access unless their owners consent to the security policy and controls deemed necessary to protect corporate data that could be accessed on or via the device.
The iPad protects any data stored on it with 256-bit AES hardware-based encryption, which is always enabled and cannot be disabled. (Data backed up in iTunes to a user’s computer can also be encrypted.) It supports VPN technologies, such as Cisco Systems Inc.’s IPSec VPN, L2TP and PPTP; authentication can require an X509 digital certificate or a two-factor token such as EMC Corp.’s RSA SecurID or CRYPTOCard tokens from CRYPTOCard Inc. Preventing unauthorized access is your front line of defense for mobile devices, so if your enterprise doesn't use two-factor authentication, then data security is heavily dependent on the level of password protection you enforce.
Password policy can be configured and enforced on an iPad via Microsoft Exchange, which is still the most common method for managing passwords without requiring user interaction, pushed over the air without any action required by the user, or distributed as part of a configuration profile for users to install. All of the following settings should be used: timeout periods, password strength, password-change interval and maximum failed password attempts. Other policy settings can determine which iPad features your users can access, such as Safari and YouTube, as well as actions like application installation and access to explicit content. Configuration profiles are XML files that can be both encrypted and locked so the settings cannot be removed or altered.
Users and administrators can initiate a remote-wipe command to erase data, should the iPad be lost or stolen; an essential contingency for any mobile device that's going to be part of an enterprise network. The free Find iPhone app can also be used to locate or lock and wipe a lost iPad. These basic features make the iPad a robust tool if they're all used, but the main concern has to be physical theft due to the device’s small and desirable form.
It doesn't matter whether you treat the iPad as an oversized smartphone or a netbook; you need an acceptable usage policy. Phishing attacks are platform agnostic, so your general security awareness training will already cover this and other topics, such as limiting the amount of confidential data stored, but additional training on avoiding fake Wi-Fi hotspots (to which an iPad may automatically connect) and good physical security should be revisited. More specifically, iPad users should be given instruction on how to safeguard the device when traveling and working out of the office, such as never leaving it unattended, locking it the trunk of their car when driving, and using a motion sensor, a small but piercing alarm set off whenever it's moved.
The inability to run applications in the background means traditional antivirus software can't be installed on the iPad, so users have to be extra vigilant in not opening unexpected links or attachments. Policy should not allow any apps to be installed without passing a full review, trial and approval process by the organization’s IT or security teams, with close attention given to what data and connections any application uses.
The level of network access granted should be based on the iPad's physical location and type of connection: inside or outside the corporate network, or through a VPN. This will add protection against users not following corporate policy and thieves using a stolen device. Administrators also need to closely follow Apple and security research announcements on new vulnerabilities and fixes. The iPad runs the same OS as the iPhone, so it will be vulnerable to the same kind of hacks used to jailbreak the iPhone.
Organizations that don’t use Microsoft Exchange should look at enterprise product vendors who have built support for the mobile device management capabilities of iOS 4 into their products, like McAfee Inc.’s Enterprise Mobility Management, MobileIron Inc.’s Advanced Mobile Device Management and Mformation Technologies Inc.’s Mformation Service Manager. These products provide the ability to securely enroll devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock managed devices.
However, if you're happy with the level of security enforced by Microsoft Exchange, then with a few refresher courses on security awareness there's no reason why the iPad and its users can't be a happy and productive part of your enterprise.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in July 2011