iPhone Enterprise Security – Peeling Back the Onion
by Dan Dearing on 18/05/09 at 8:53 pm
Dan Dearing is the Vice President of Marketing & Product Management for Trust Digital and contributing editor for iPhoneCTO.
Over the past several months, many IT vendors have announced support for the iPhone, giving many CIOs the confidence they need to endorse the device. Osterman Research recently determined the iPhone is getting traction in corporate America, news that was highlighted in a recent iPhoneCTO posting. Their study revealed that “not only did 20% of companies support iPhones in 2008, but 44% would offer support in 09.” It seems that CIOs are warming to the iPhone because vendors are addressing concerns in the enterprise.
Some of the concerns causing the CIO angst revolve around the lack of IT tools to secure and manage the iPhone. Vendors are quickly responding by offering IT essentials such as remote wipe, device encryption and over-the-air installation. While this may soothe the nerves of the CIO, it is creating stress within IT teams as they sort out the truths of implementation.
Traditionally, the CIO has relied on device management specialists and email sync vendors to support their non-Blackberry smartphone deployments. The difference between how they support the iPhone is probably best illustrated by their approach to device loss protection. For example, many believe that protecting a smartphone against loss requires essential security features such as device lock, remote wipe and data at rest (DAR) encryption. Let’s look at the following examples based on the vendor type:
ISVs and email Sync Vendors
It does not look like Apple will provide DAR encryption any time soon. To meet the needs of the CIO, some application ISVs and email sync vendors are taking matters in their own hands by encrypting their application data, this is known as sandbox encryption. The security essentials are centered on the sandbox, meaning that a pin or passcode is required to access the sandbox and the wipe feature will only wipe that particular application’s data. This seems incomplete from a security perspective, since finders of the lost iPhone could still access any information on the device outside of the sandbox and continue to access the corporate network.
Device Management Vendors
A device management vendors’ approach to the iPhone is device centric and encompasses all data on the device. Normally DAR encryption solutions work hand in hand with “device lock” (i.e. pin/passcode) and “device wipe” to protect the entire device. Apple has complicated matters by preventing the implementation of full flash encryption for the iPhone. But, do you really need it if the iPhone is locked and the applications and device data are inaccessible? As long as the PIN cannot be bypassed, DAR encryption is not necessary because the iPhone does not support SD cards or other forms of removable media, which are commonly used to bypass the PIN. Even without encryption this approach actually provides superior security over the sandbox approach, since it locks the entire device and wipes all of its data when lost.
In this brief posting we’ve used device loss protection to illustrate how different vendors support the iPhone. To truly support the iPhone in an enterprise environment requires a well-rounded set of device management and security capabilities. The following questions are just a few that IT should consider when evaluating the best solution for their organization:
1. Do you need to secure more than a specific application, or ‘sandbox’, on your iPhone?
2. If your device is lost or stolen what data is accessible to the finder? And what are the risks of it being available?
3. How critical is it to secure access to the corporate network under a PIN passcode?
4. How will users easily and securely connect the iPhone they’ve purchased at the Apple Store with your enterprise network? And are you able to easily help troubleshoot if necessary?
The questions above will help the IT teams sort out the truths of implementation and ‘peel back the onion’ on what an IT vendor means when they say “We support the iPhone.”
