Diana Kelley outlines the enterprise prospects of the iOS, advises on encryption, authentication, and third-party solutions to enhance security of the device.
Okay, so the big question here is: can we bring these devices into the enterprise, or do we have a choice? I am not sure, at least from the companies that I worked with and the customers of SecurityCurve, I am hearing back that most security professionals, most security teams no longer have a choice. This is something that we were told: “Here comes the iPhone, here comes the iPad, deal with it”. I think we’re gonna have to just deal with that and move forward.
So it depends though on the needs of the organization. Sometimes there are business needs, sometimes we forget there may be a really specific business need, and it may not be as secure as we want. But the business may need it to move forward. I don’t know if there is an application on the iPad that is mission critical for your business or not, but I can’t say there isn’t. But you can still make your own ‘My Big Retail Store’ app for your internal corporate use.
But again, this is Root – jailbreaking gives you Root control. So when we look at the controls for iOS, they are depending on the User. And if User doesn’t have complete control over the device, Root does. So jailbreaking from the management perspective, there are reasons to not want it.
Jailbreaking certainly opens up the device in a way that you don’t have it opened up otherwise. But your device is plenty open if it is not protected. So the iOS itself is kind of free and happy and open, and there are a lot of vulnerabilities, for example things like password protection. You need to enable that, either centrally or on the device itself, you have those options. If you don’t enable that you’re not gonna have password protection on the device. And to the point about – could somebody just get my device and then jailbreak it? Yes, they could.
So password is going help you with encrypting the data on your device. You have the ability to control that or not, and it’s native. You can do this with the device. I am going to show you how to actually turn that on. But you have to turn that on, or you’re not gonna have it. So the devices are not entirely secure on their own, but jailbreaking certainly opens up a lot of paths to other nefarious things that can be done to the phone that weren’t opened up otherwise.
Let’s talk about some positives on the iOS (see image). It has built-in VPN clients that come with iOS. So for remote access, how many people allow remote access from just a regular laptop? Most of us. But how about from an iPad or an iPhone, are you requiring the VPN on that? I’ve got some Yes’s, I’ve got less Yes’s. But you can, you can turn on the VPN if that something that you want to do, it’s in there. And it does support Cisco IPSec and do L2TP1 over IPSec. SSL VPN clients – if you wanna do that, they’ve got Juniper and Cisco. Those are in the App Store, no need to jailbreak to get those, and again, it’s like setting up a VPN. So you can do that. This is going to increase the security. If you are going to start doing business from the iPad, this will help.
Now, a lot of us weren’t necessarily thinking about VPNs on iPhones, or even on iPods. Because these are great for watching movies on a plane, but you know what they are no fun to do on – type. So we just haven’t been typing a whole lot on these. So we’ve had the issues around, somebody downloaded it, they read the email, but iPads kicked it up a notch because now we got people typing a lot on these devices, and trying to do a lot of business on them. So that’s something to think about, and you can do it because there is the VPN encryption In Transit.
And then encryption At Rest, they do support AES2 256-bit encryption. Yes they do, but you have to turn it on. And that’s something that you’ve got to take the responsibility to do it, and you can add the Passcode for the data protection.
So before this there were hacks prior to the iOS 4.2 that bypassed the unlock screen on iPhone. There are probably gonna be hacks again. It’s always gonna be an arms race.
And if you have an application that doesn’t work with a native encryption API and doesn’t have any other level of encryption related to it, it wouldn’t be included in this. So with this native, you need to be linked-in, I mean connected to the API. You should always be careful because when I say stuff like that, people are like: “I heard somebody saying I need to join LinkedIn in order to get encryption”.
So some of the enterprise considerations about what you can do to protect. You can do a native Over-The-Air enrollment, you send users to a URL, where they authenticate. They then install a certificate on to their iOS device whichever one it is. And then there’s gonna be an XML based config profile (see image). This is native, this is supported with your iOS devices, so you don’t need to buy anything.
And there are MDMs, these are mobile device management solutions. They are commercial third-party solutions that you can buy to give you some additional support and protection on your machine. They work with other than iOS devices, so there are other alternatives but I am sharing with you what you have got natively. So if the issue has been about having no money, these are gonna be native, these are available.
What can you control? A lot that actually really manages your security. Password-protecting – do it. I mean why would you not have that device password-protected? Because it is a pain to take it off, this is the big problem, especially on these devices. Who is good at typing on that little keyboard on there? I am constantly fat-fingering trying to get my password in. So you’re gonna get pushed back: “We don’t want to do the password, we don’t want to actually have it on there because it’s a pain to unlock it”. But it’s gonna give you some security.
But when the question comes up: “Is it ready for enterprise?” – it could be a lot stronger than we tend to deploy it in. So absolutely, you got to have a password policy. You can actually set whether you have a good password or a bad password, or a stronger password rather than a less strong password. You can lock out after a certain amount of failed logins. Because if you don’t lock out, what can happen is somebody’s gonna sit there. If you got a fairly weak password, maybe they will be able to figure it out at some point.
The VPN configurations, WiFi settings when you connect to what you can connect to. And then you can do some mail and calendar account settings as well.
For some centralized management, there is native support for EAS. I get some smiles when I mention Exchange ActiveSync. So it is a protocol, but it does work with Exchange. It’s actually a protocol that can be used for mobile device management, actually for other kinds of device management too, but it’s mostly in mobile. You do need to have Exchange Server for it, but it does give you some level of control. To those of you in exchange shop this is put on the iOS; you can use this as well, if you are in exchange shop.
You can also get certification based authentication back to the Exchange Server and remote wipe of device. That’s pretty good. What happens if you lose the device and all the data that is on it? So you can set up the remote wipe. You can also wipe on password failures. If this is a highly sensitive device and it’s got a lot of highly sensitive data on there, this may be worth considering because if you got somebody who has stolen it and trying to unlock it, you can know for a fact it’s gonna actually wipe if they get it wrong. And you can do things like blocking the camera.
So the MDMs, there are third parties (see image), why would you want this over when I was just talking about ‘natively’. In general, it is because you have a heterogeneous company. You may have just the iOS there, but most companies have to deal with Android. In fact, Android is growing very, very quickly. It’s growing faster than the iOS at this point. So if you got to manage a whole bunch of different types of platforms in your mobile world, then you are probably going to want to branch out a little from the native stuff.
So what can you get if you get these third parties? Many of them are now operational as well as security oriented. And I think if you are wasting money, that’s a risk. So operational actually has, I think, a real security component, which is what if your quality of service isn’t up to speed with your provider? So some of these MDM solutions can look at things like how many dropped calls you are getting. Like the Verizon Wireless: “Oh, our house has been in a dead zone for years”. You can say: “Look, you said I was covered here and I am not”.
So you can have that kind of reporting with these tools. This is another reason to think about spending the extra money to get an actual management tool rather than just going forward with what’s native. So some of the vendors in this space, we’ve got Motorola Good, now it is Visto; also Sybase Afaria; also TrustDigital; and then Zenprise as another option for MDM solutions. So you can manage these devices centrally. That’s not a reason to say that they are not enterprise ready.
1 – L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself, relying on an encryption protocol that it passes within the tunnel to provide privacy.
2 – AES (Advanced Encryption Standard) is a specification for the encryption of electronic data. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.