Friday, December 17, 2010

How to Secure the Corporate Data on Your iPad or iPhone

A recent survey of CIOs showed that 85% had received requests for Apple iPhones, iPods or iPads to be used in the enterprise, and that almost 75% had found that end users were connecting those devices to the enterprise network with or without permission.

This push towards using employee-owned devices from the bottom of the organization has been matched by the push to use iPads in particular from board-level executives, and IT security professionals are being squeezed in the middle, forced to support devices which were never designed for enterprise use and which offer unique challenges to secure, deploy and manage effectively.

Given the popularity of the iPad among executives, it was important that Apple made significant improvements to make its devices more enterprise-friendly, and this it attempted to do with a raft of new features in iOS4. Alongside new management capabilities came improved data protection, making iOS4 devices far more secure and more straightforward to manage than their predecessors.

However, there remains some confusion between "encryption" and "Data Protection," as used by Apple when referencing its latest security capabilities in iOS 4. Apple has created a framework for Data Protection that goes far beyond previous encryption capabilities and addresses many of the prevailing data security concerns. Encryption was introduced in iOS 3 and is "always on," but even when the device passcode is set it does not prevent files from being accessible in the clear under certain circumstances.

Though additional file-level encryption is available under the new Data Protection capabilities in iOS 4, the default state of data on an iPhone or iPad is "always available" to preserve backward compatibility, and sensitive data stored on iOS devices remains unprotected in many cases.

Of the Apple applications, only Mail supports full data encryption right now, and few third-party software developers have implemented the Data Protection APIs. Therefore, sensitive corporate data can be at risk if an iOS device is compromised.

A brand new Analysis Brief is in the pipeline covering iOS5, asking how secure Apple's new Data Protection capabilities are, and providing actionable advice on securing corporate data on iOS4 devices.

Follow me on Twitter (@bwalder) to be kept informed of new research.

No comments: