iPad Security Considerations For The Enterprise

- September 13th, 2010

 

Apple took a great deal of heat early on by releasing the original iPhone with little consideration for enterprise security. As a result, Apple has since built in a number of what many consider to be necessary enterprise security mechanisms into the iPad. When it comes to security, the iPad – with the right policies and technical controls – can be made a relatively secure mobile computing platform for use within the enterprise.

The iPad affords numerous enterprise security capabilities:

  • Device protection
    • Strong passcodes
    • Passcode expiration
    • Passcode reuse history
    • Maximum failed attempts
    • Over-the-air passcode enforcement
    • Progressive device protection
  • Data protection
    • Remote and local wipe
    • Encrypted configuration profiles
    • Encrypted iTunes backups
    • Hardware encryption
  • Network security
    • Cisco IPSec, L2TP, PPTP VPN protocols
    • SSL/TLS with X.509 certificates
    • WPA/WPA2 Enterprise with 802.1X
    • Certificate-based authentication
    • RSA SecurID, CRYPTOCard
  • Platform security
    • Runtime protection
    • Mandatory code signing
    • Keychain services
    • Common Crypto APIs

While the available features provide the ability to enhance iPad security in the enterprise, managing those features for a large number of iPad users could quickly become an administrative nightmare. By integrating support for Microsoft exchange, Apple gets the added benefit of Microsoft ActiveSync that can be used to automate securing enterprise iPads. By simply using Microsoft Active Sync, the iPad can be automatically configured with the necessary security mechanisms which will facilitate its use within the enterprise such as:

  1. Email message encryption
  2. Device wipe
  3. Passcode lock
  4. Autolock
  5. Automatic autowipe
  6. Protected configuration
  7. Continious refresh

A recent article detailed the mapping of security capabilities of an iPad using Microsoft Active Sync to current regulations by Forrester for the iPad. The article does a great job of affording insight into the security capabilities of the iPad and is recommended reading for anyone considering an iPad in an enterprise deployment (Figure 1).

While the security capability of current generation iPhones and iPads has come a long way, they still lack the fine-grained application controls found in the BlackBerry. For some high security environments this will be a show stopper. A real risk remains in the ability to “jail break” Apple devices which will effectively bypass all of its security mechanisms. Currently, the Millennium Copyright Act makes it legal to jail break an iPhone, however no exemption has yet been made for the iPad.

The threat of a jail break is  a serious consideration for enterprise users. (Step-by-step instructions to jail break an iPad are freely available on the Internet.)  Much of this risk could be mitigated however by simply making sure the device is included as part of an enterprise’s existing flaw remediation program. Keeping the devices operating with the most current version of available software for both the underlying Apple software and third-party applications is the best defense against software flaws that most often facilitate jail breaking.


Tags:

|

About the Author

, is one of the world’s foremost global information security and computer forensic experts in the industry. With more than 20 years of experience, Henry is a seasoned speaker, author and contributor for some of the leading security events and publications.

Follow Paul on Twitter @phenrycissp





Comments

2 Responses to “iPad Security Considerations For The Enterprise”

  1. Matthew Hackling says:

    iPad and iPhone have a lot of good security controls in place, so when you do a desk based risk assessment based on spec sheets it looks pretty good.

    The real thing to consider is how easily can the platform be compromised due to poor quality code in the OS or standard applications installed on it.

    An attacker can “jailbreak” the ipad via a Safari flaw (dodgy link in an email, physical access to unlocked screen etc.) and bypass all of the above security controls (esp. encryption of contents)

    Not too many advisories out there for the ipad OS.

    http://secunia.com/advisories/product/31500/?task=statistics

    Lots out there for the web browser on it

    http://secunia.com/advisories/product/25519/?task=statistics

  2. Paul Henry says:

    Great observation and exactly the point of my post when I noted that:

    “The threat of a jail break is a serious consideration for enterprise users. (Step-by-step instructions to jail break an iPad are freely available on the Internet.) Much of this risk could be mitigated however by simply making sure the device is included as part of an enterprise’s existing flaw remediation program. Keeping the devices operating with the most current version of available software for both the underlying Apple software and third-party applications is the best defense against software flaws that most often facilitate jail breaking.”

Leave a Reply


IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Comments


Share

blog.lumension.com