Blog

iPad and iPhone Can Be a Security Risk

BVA has found that these types of mobile devises if not provisioned correctly can seriously be a security risk to your network environment.  Security policies need to be set forth to ensure security at all levels of access.  Apple iPad tablet device as well as the iPhone is slowly becoming a legitimate business tool, your employees will soon have them in hand and invade your business. The reality is that the iPhone changes the playing field for security and really surprised IT consulting companies and their administrators when it got released.   The users needs versus wants changed completely where being able to have a Smartphone that just sync’s calendars, contacts, and emails changes drastically. The iPhone hit the scene and next thing we were getting requests for it to be integrated into a businesses mail environment immediately. These requests were coming from owners and directors, decision makers were being demanding about making it work, totally side-stepping the security protocols set forth by years of experience and best practice.  The bottom line is that the line between corporate tool and consumer gadget has not just been blurred; it has been completely erased.  There have been several studies that have shown that when asked, the iPad and iPhones present the greatest smartphone security risk for IT.  It’s a scary thought that you have locked down your environment but since a new gadget gets releases to the market and owners want it, it diminishes the integrity of the system.

There was recently a few contents by security outfits where they had people hack the iPhone in less than 2 minutes and won a cash price.  This is a scary thought and quite frankly shows how easy it can be for the non-hacker.  Obviously it might take a little longer from a less talented hacker but it can clearly be done.  Apple has little intention to make their OS more secure because it’s not the market that they are targeting.  Again they are targeting the consumer, not the business enterprise.  I am sure there will be a point in time when that day comes but it is not in the near future.  If Apple at the very minimum addressed just the enterprise security, supportability requirements, and new hardware level encryption.  I want to be very clear that the OS on the iPhone is the same as the iPad as well as its security. Apple targeted the iPad primarily as a media consumption gadget for the residential consumer, not the business community but again we have seen this shift.  I am not saying that you should ban the iPhone or iPad but develop policies and procedures that address the rules of engagement for integrating the iPad with your network environment.

As you develop the policies, keep in mind that the iPad is unique and could fall into a few different areas for policies.  Here are some key points to keep in mind:

•    delivers notebook-like functionality
•    smartphone OS platform
•    normally placed in the policy bucket for computer usage and security policies, not recommended
•    a good policy bucket to consider – smartphone usage and security policies (recommended)
•    same smartphone OS was hacked in less than 2 minutes

Make sure that whatever policy selected addresses the most important factor here which is allowing or denying the storage of confidential or sensitive information on the iPad, or how e-mail, instant messaging and other communications conducted through the iPad fit within archiving and compliance requirements.