Friday, December 17, 2010

How to Secure the Corporate Data on Your iPad or iPhone

A recent survey of CIOs showed that 85% had received requests for Apple iPhones, iPods or iPads to be used in the enterprise, and that almost 75% had found that end users were connecting those devices to the enterprise network with or without permission.

This push towards using employee-owned devices from the bottom of the organization has been matched by the push to use iPads in particular from board-level executives, and IT security professionals are being squeezed in the middle, forced to support devices which were never designed for enterprise use and which offer unique challenges to secure, deploy and manage effectively.

Given the popularity of the iPad among executives, it was important that Apple made significant improvements to make its devices more enterprise-friendly, and this it attempted to do with a raft of new features in iOS4. Alongside new management capabilities came improved data protection, making iOS4 devices far more secure and more straightforward to manage than their predecessors.

However, there remains some confusion between "encryption" and "Data Protection," as used by Apple when referencing its latest security capabilities in iOS 4. Apple has created a framework for Data Protection that goes far beyond previous encryption capabilities and addresses many of the prevailing data security concerns. Encryption was introduced in iOS 3 and is "always on," but even when the device passcode is set it does not prevent files from being accessible in the clear under certain circumstances.

Though additional file-level encryption is available under the new Data Protection capabilities in iOS 4, the default state of data on an iPhone or iPad is "always available" to preserve backward compatibility, and sensitive data stored on iOS devices remains unprotected in many cases.

Of the Apple applications, only Mail supports full data encryption right now, and few third-party software developers have implemented the Data Protection APIs. Therefore, sensitive corporate data can be at risk if an iOS device is compromised.

A brand new Analysis Brief is in the pipeline covering iOS5, asking how secure Apple's new Data Protection capabilities are, and providing actionable advice on securing corporate data on iOS4 devices.

Follow me on Twitter (@bwalder) to be kept informed of new research.

Thursday, December 09, 2010

A Good Security Testing Plan Will Save Time and Money

Few enterprises in today's environment of highly constrained IT and security resources can afford to waste time and budget on network security products that exceed — or do not match — their requirements. While it is tempting to forge ahead in evaluating the biggest and fastest, hardware-accelerated, nuclear-powered "Next Generation" security toys, a well-designed testing plan may demonstrate that a lower level of performance is acceptable at certain points on the network, and this can reduce purchase and deployment costs.

An effective testing plan will enable the enterprise to select cost-effective security solutions that align with internal requirements for performance and system integration. The availability of advanced test tools enables a complete test lab to be created in a single rack of equipment, making it possible for almost any organization to perform in-house testing.

When embarking on a testing project, it is also important to decide in advance the eventual use case for the products being tested — a device intended for a branch office environment is unlikely to perform well if tested as an enterprise core product, for example.

In consulting independent test reports, be wary of those test houses that do not recognize the value of use-case testing. Look for those that either seek to certify a product against a particular use case, or that recommend one or more use cases based on the results of the test. A simple "pass/fail" result with no indication of a suitable use case renders a test worse than useless — even misleading.

We have an ANalysis Brief in the pipeline that examines each of these issues in more depth and defines testing best practices that will save precious resources when evaluating complex security devices.

Follow me on Twitter (@bwalder) to be kept informed of new research.

Monday, December 06, 2010

Firesheep: Should CISOs Ban Employees From Using Unsecured Public Wireless Networks?

The release of the Firesheep plug-in for the Firefox browser has made it trivial for even unskilled attackers to intercept and interfere with private data on unsecured public wireless networks.

Since attackers can use the tool to send messages and make posts on behalf of the victim, organizations using social networks for marketing, support or brand enhancement may suffer serious consequences as a result.

Chief information security officers (CISOs) need to make employees aware of the risks and provide them with the necessary tools to counter them, but should they be banning the use of unsecured wireless networks for any company-related communications?

This note (for subscribers only), entitled "What CIOs need to know about SSL and its effect on network traffic inspection capabilities" answers that question and provides action plans for both employees and software developers to combat the threat of session hijacking, in addition to covering how IT departments can balance the need for enhanced security with the need to inspect encrypted traffic on the corporate network.

Don't forget to follow me on Twitter (@bwalder) to be kept informed of new research.