It's become one of the more interesting questions bandied about by the IT and information security community in
2010: Should you support enterprise iPads? Or are they too much of a compliance risk?
The dilemma is all over the headlines I read, and in virtually all the security assessment projects I see. A lot of people are trying to determine how to handle these lovely little tablet computers that can be an oh-so powerful productivity tool and oh-so neat. But when it comes to compliance risks, enterprise iPads can also be oh-so dangerous to the business.
The problem is iPads are not enterprise-level computing devices. I'm no Apple guru but from what I've seen, the iPad is really just a glorified iPod Touch. It provides wireless network access, tons of storage and lots of bells and whistles that sales reps, developers and executives alike swear by in the name of a "productivity" tool. The problem is, people are ignoring the consequences of their decisions -- or their lack of decision making -- when it comes to allowing these devices to gain access to the enterprise network.
Enterprise iPads coming in and out of a corporate environment introduce security and compliance risks that most businesses are not prepared to take on. The two biggest risks are intellectual property losses and data breaches, which can be brought on by malware infections, traffic being captured over unsecured wireless networks, and lost or stolen devices. There are also indirect risks related to the increasing number of cloud applications users have at their disposal for backing up and synchronizing such mobile devices.
One must also consider the security policies that are violated by allowing enterprise iPads and related mobile systems onto the network. The reality is that all the capabilities that make the iPad great are outside the direct control of IT security staffs. So much for practicing consistent information risk management and compliance across the business.
Looking at the bigger picture, iPads aren't much different from what Palm personal digital assistants were a few years ago. Nor are they much different from BlackBerrys, iPhones and other smartphones in widespread use in enterprises today. The iPad is simply the latest and greatest mobile computing device that needs to be secured like anything else. What really makes the iPad different is the "wow factor," and that doesn't have much to do with security threats.
The iPad is just the latest mobile computing device that needs to be secured like anything else. What makes the iPad different is the 'wow factor.'
There are only a few tools available for managing and securing enterprise iPads enterprise-wide, but that is changing. For instance, Good for Enterprise – iPhone is an established product that provides an array of security-related features for enterprise iPads, as does startup Mobile Active Defense.
Perhaps Apple will eventually build more security-related features into the iPad, but I wouldn't hold my breath. If a centrally managed solution is not viable in your business, but users still insist on bringing their iPads to work, one option would be to provide a separate guest network that doesn't provide any internal network access via Wi-Fi or a virtual private network. You will still have the data leakage issue to contend with, but at least it's a start.
There's no great solution to the iPad-in-the-enterprise dilemma, but one thing is for sure: If you're going to gain the necessary visibility and control needed to minimize security and compliance risks related to enterprise iPads, you're going to have to take action. You can harden enterprise iPads using your security standards, centrally control them, monitor them, patch them and so on. In short, the business needs to take control.
Enterprise iPads are here to stay and the situation is only going to become more complex. It's up to you and your leadership team to decide if they are going to continue being a threat to the business or if they can be a viable business productivity tool users can bank on.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. With more than 21 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, Third Edition.