Thursday, July 21, 2011

How Will You Manage iOS5 Devices in Your Corporate Network?

I have taken a significant number of inquiries recently from NSS Labs’ enterprise clients to discuss the increase in the level of demand for employee-owned devices to be used on corporate networks. One of the disturbing trends is the number of CIOs admitting that end users are connecting those devices to the enterprise network with or without permission. Where security requirements and risk profiles permit, many organizations would be better advised to accommodate and control this behavior rather than attempt to prohibit it.

In the past, it has been possible to enforce centralized control over mobile devices, and many companies standardized on single-vendor solutions such as the BlackBerry Enterprise Server (BES) from Research In Motion (RIM.) Users do not typically select Blackberry devices for personal use, however, and are bringing increasing pressure to bear on IT departments to permit access to corporate resources from a single device – their own.

In many cases, employees will discover for themselves how to configure their personal mobile devices for corporate access, leaving IT departments with a dilemma – locate and prohibit unauthorized access, potentially limiting employee productivity in the process, or embrace the consumerization trend and find a way to manage and secure access via personal devices.

IT departments need to exercise control over smartphone and tablet devices, whether company-owned or employee-owned. Employees are typically reluctant to cede control of their personal devices to IT. However, the added benefits of being able to access corporate resources such as email and file shares is frequently enough to persuade them to submit to some degree of centralized management.

With the release of iOS version 4, iOS devices such as iPhone, iPod Touch and iPad can be more effectively deployed, managed and secured in enterprise environments providing sufficient care is taken over securing the data on these devices and enforcing suitable corporate security policies. iOS5 will allow us to take things a step further, particularly given its ability to enable mobile devices to exist without being connected to iTunes (previously a huge bugbear for many organizations worried about deploying consumer-grade software in an enterprise network.)

One caveat here is that this move to a completely untethered, over the air (OTA) deployment scenario of the OS, updates, device activation, backup/restore, and even day-to-day synchronization may well introduce new attack vectors.

Business customers also need to realize that Apple continues to consider itself primarily a consumer company. It retains no sizeable enterprise sales force, offers no specific enterprise-level support (forcing enterprise customers to rely on third parties), and refuses to communicate road map details outside of the company. Organizations need to consider these issues as part of their evaluations of iOS devices for enterprise applications. One glimmer of hope is that the recent introduction of Apple’s B2B App Store program permitting volume purchasing of apps (though not yet volume discounting!) may mark the beginning of an increasingly enterprise-friendly Apple. Well, we can hope!

NSS Labs has recently published an Analysis Brief covering iOS management and security issues in more detail, entitled Managing iOS Devices Securely in the Corporate Network (subscription required).

I also have an Analysis Brief in production right now for our subscribers that will address the Data Protection capabilities in iOS4 and iOS5, and how they should be used to protect sensitive corporate data. Follow me on Twitter (@bwalder) to keep informed as new research is released.