Thursday, January 28, 2010

Apple iPad: Security Considerations

Now all the brouhaha surrounding the new Apple iPad has passed, let's take a more considered look at this device: world changer, or solution looking for a problem?

Many people have erroneously stated that the iPad is a product with no market because the netbook already covers that gap between smartphone and laptop perfectly adequately, and thus - as a device with a "proper keyboard", is superior to the iPad.

They are missing the point.

In his presentation, Jobs stated that in order for this new device to have a reason for being, it would have to outperform either (or both) the smartphone or the laptop in seven key areas:

Browsing

E-mail

Photos (sharing/viewing)

Video

Music

Games

eBooks

The netbook can do all of this, but does none of them better than a laptop. A netbook is, after all, just a small laptop, and exists purely because it offers a lower price point.

The iPad, however, scores at least 4 or 5 out of 7 (I am not convinced it can do either music or iPhone-type games better than the iPhone, nor e-mail better than a laptop), which is enough to give it a pretty significant potential market.

Yes it has some perceived "problems": strange screen aspect ratio; no GPS; no camera (think video conferencing, not photo taking); and, above all, no multi-tasking (that in is a REAL shame). But despite all of that, it is still the proverbial game changer.

Once you factor in the ability to use the new iWork apps to do some serious word processing, spreadsheet or presentation work, you have a serious contender for Travelling Companion of the Year for most corporate road warriors.

Let's face it, unless you are doing some serious keyboard/mouse work or need some significant screen real-estate, there is not much reason to choose a 6lb laptop over a 1.5lb iPad. And even the keyboard issue could be resolved with the addition of the keyboard dock accessory.

And herein lies the potential problem for the corporate security guys. In creating the perfect road warrior machine for the mobile workforce, Apple has created a repository for gigabytes of sensitive corporate data without any apparent way to a) secure it or b) remote-wipe it should the machine be lost or (more likely given its initial highly desirable status!) stolen.

It took some time for Apple to offer a nod to the security world with the iPhone and include the sort of features that meant at least the CSO wasn't tearing his hair out every time an employee turned up to work with one. These included both encryption and remote wipe capabilities, but no mention was made of these during the iPad launch.

The reason for that is probably that, if they work at all, they wouldn't be very effective in a device like this. The remote wipe capability, for example, relies on the iPhone being connected to a cellular network. Unfortunately, the vast majority of iPads will probably be sold with no 3G capability, thus eliminating this feature (not that removing the SIM card wouldn't have the same effect, of course!)

Does the iPad offer device-wide encryption for all user documents? There was no mention of this, and the iPhone's encryption mechanism proved fairly straightforward to bypass by anyone with a modicum of hacking knowledge anyway.

Whereas the iPhone was never likely to be used to store gigabytes of corporate data, however, the iPad is designed for just that. And the use of basic office productivity applications means that some means of quickly and easily getting the documents on and off the device is required. A quick look through the new SDK reveals that it will be achieved by making those documents available via a mountable share - a far cry from the current situation where applications and their data are sandboxed.

How well that mechanism will be protected (if at all) remains to be seen. But one thing is for sure - in the next 60 days the CSO/CISO is going to have to put some thought into how this latest creation from the boys in Cupertino is going to fit into his corporate security policy.