7 Steps to Stronger Enterprise iPhone Security
- 04 August, 2010 02:58
Think iPhone security stinks? A new Forrester Research report finds that the iPhone and iPad are secure enough for most enterprises, including highly regulated ones.
Only a couple of years ago, iPhones weren't considered secure enough for the enterprise, especially compared to the more secure RIM BlackBerry. Much of that changed with the encryption capabilities of the iPhone 3GS and, later, iOS 4. Today, 29 percent of North American and European enterprises support the iPhone, according to Forrester.
That figure will continue to grow because Apple's improved security only lays the groundwork for iPhones and iPads to push even deeper into the enterprise. "By 2013, curating and managing the delivery of mobile applications, not securing the devices, will be the next frontier," writes Forrester analyst Andrew Jaquith in the report.
[ Goodbye BlackBerry: the future belongs to the iPhone, writes CIO.com's Tom Kaneshige. ]
So where does this leave the venerable enterprise BlackBerry? The iPhone has been battering at BlackBerry's enterprise stronghold, making particular advances among small and mid-sized businesses, say analysts. Now RIM faces another onslaught in the enterprise, this time at the doors of its popular BlackBerry Enterprise Server (BES).
Industry watchers have been calling for RIM to open BES to manage multiple mobile platforms. So far, RIM has kept a tight lid on BES. Microsoft, on the other hand, has been more than accommodating with ActiveSync. Forrester expects ActiveSync will eventually become the BES-equivalent for Apple and Android devices.
Nevertheless, Apple can do more to secure iPhones and iPads for the enterprise. Forrester says Apple should redouble its efforts to fix coding flaws in its bootloader and Safari browser. The iPhone also falls short for enterprises requiring an extraordinary high level of compliance, such as no support for smart card authentication and certain encryption technologies (S/MIME and PGP).
Apple also received a blow recently when the U.S. Library of Congress ruled that people who "jailbreak" phones to add non-Apple approved apps should be exempt from prosecution. The ruling could lead to more jailbreaking and, as a result, more headline-grabbing exploits that damage the iPhone's image.
Even though enterprises will most likely write non-jailbreaking clauses into their IT policies, the threat is that conservative companies won't allow iPhones in the first place because they will have deemed them easily hackable.
For now, according to Forrester, there are seven security polices every iPhone-supporting CIO should follow:
1. Email Encryption a Must
iPhones and iPads can enforce email session encryption via ActiveSync. For more highly regulated industries, iPhones and iPads can use device certificates for stronger authentication to email, as well as VPNs and Wi-Fi networks, according to Forrester.
The iPad, iPhone 3GS and iPhone 4 also all support hardware device encryption-a required feature for many enterprises. Apple's mail app also supports application-level encryption in iOS 4.
2. Stolen iPhone? Wipe It
Be ready to turn a lost or stolen iPhone into a brick using "crypto-shedding," which lets an enterprise remotely wipe out the data on an iPhone 3GS or iPhone 4 in less than a second, according to Forrester. Actually, this method doesn't wipe out data, rather it overwrites the encryption key, thus rendering data unreadable. Remote wipe works via tools in Exchange and MobileMe.
3. Password Lock
Require users to lock their iPhones with a password that uses numbers and characters, not just a simple PIN number such as 1111 or 1234. For more highly regulated enterprises, Forrester recommends a seven-character alphanumeric password that also requires special characters.
4. Autolock After 15 Minutes
Many enterprises require 15-minute inactivity time-outs, while others set the lockout at 30 minutes to free up productivity, according to Forrester. Neither really matters for iPhone 3GS users because the iPhone 3GS auto locks after a maximum of five minutes. (iPhone auto-lock is required when you add an Exchange email account.)
5. Failed Password Attempt Policy
Forrester advises companies to configure the iPhone and iPad so that they automatically wipe after several failed unlock attempts. One high security level calls for a six-digit passcode (not just a simple PIN) and policy that autowipes the phone after four wrong guesses.
6. Configuration Profile Under Lock and Key
IT managers should protect the mobile configuration profile with a password. This ensures that users can't remove the profile unless they wipe the device clean to factory defaults, Forrester says.
7. Continuously Refresh Policies
Forrester recommends using ActiveSync to continuously enforce policies. ActiveSync can automatically refresh policies for passwords and autolocking when iPhones connect to the server, Forrester says.
Beyond these seven security practices, companies can up their security measures with tough IT policies (although at the risk of upsetting users). Enterprises can prohibit non-approved apps, block the use of the iPhone camera, require disablement of the screen-capture feature, restrict (or prevent) the use of YouTube app and browser, among others.
On the flip side, there are security "red herrings" that a CIO doesn't need to worry about, says Forrester. Here are three of them:
1. Don't Waste Money on iPhone Antivirus and Host Firewall Software
Shouldn't every device tapping your network run antivirus, host intrusion prevention and a host firewall? Nope, says Forrester. "The combination of Apple's code-signing system, sandboxing and its curated App Store eliminates the threat of malicious mobile codes for the foreseeable future," Jaquith writes. "Moreover, the devices don't listen on any open network ports, making a firewall unnecessary."
2. Data Leak Prevention? Fuggetaboutit
You don't need data leak prevention (DLP) on smartphones, says Forrester. But if you must, then deploy DLP on email servers instead of the actual devices.
3. USB Still Easier for Stolen Documents
Are you worried that the iPhone or iPad might be used as a document-stealing device, like a USB thumb drive? Sure, there's document syncing between an iPhone/iPad and PC (although PC software can be used to block transfers). "That said, employees intending to steal documents will seek less convoluted methods that smuggling them out on their iPads," Jaquith writes. "Using Web mail sites, posting to DropBox, or copying to uncontrolled USB sticks is much easier."
Read more about consumer in CIO's Consumer Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- HTC unveils new Butterfly s phone that packs more battery life
- Google Glass apps for enterprises coming by early 2014
- iPad 5 rumour rollup for the week ending June 18
- Say 'cheese', Earthlings! Spacecraft to snap home planet pic from deep space
- Social media adds spice to financial services, say banks
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
High school students still see ICT as ‘sitting at a computer all day’: survey
Does encryption really shield you from government's prying eyes?
Solving the skills conundrum – part 1
"How many of the Fortune 500 companies have access to PRISM? https://en.wikipedia.org/wiki/Industrial_espionage ..."Australia suspected to have PRISM data: Ludlam
Power of Three: Building Mobile Initiatives Guided by Business Goals, Technology and Governance
The use of powerful mobile devices has become so widespread industry leaders in almost every sector have embraced mobility solutions as central elements of their IT and business operations. As mobile budgets grow, so does the influence of business units on mobility strategy. Read on.
Hybrid IT Service Management: A Requirement for Virtualisation and Cloud Computing
When competition is tough and resources are limited, corporate leaders are depending on growing their existing capabilities in order to grow their business. Information technology can be a unique catalyst for business growth, delivering a competitive advantage when creatively applied to established and emerging problems. Read more on what trends are accelerating the value of IT.
Securing the Promise of Virtualisation
For today’s enterprise, this whitepaper identifies three general areas of risk associated with risk; those that are traditionally areas of risk, the hazards that are exclusive to virtualisation and the more recent set of risks that are associated with newly formed hybrid environments. Read more to find out how to keep pace with evolving threats, quicker provisioning and dynamically mobile workloads.