When Apple Inc.'s iPad launched in the U.S. April 5, it drew huge attention and clocked up 300,000 sales. The touch-screen computer goes on sale in the U.K. May 28, and is predicted to generate a similar level of excitement.
The iPad is sold primarily as a consumer product, but some organisations are already considering supplying it to staff. Cambridge City Council, for example, announced that it would provide 42 councillors with iPads, to be paid for out of its climate-change budget on the basis that it would save them from carrying paper documents.
But should organisations be so ready to attach iPads and other similar devices to their networks when the products have not been designed for the business world from the start?
The iPad is, of course, part of a much broader problem caused by the proliferation of powerful non-traditional mobile devices such as the BlackBerry, iPhone, Android and other devices running Windows Mobile or Symbian operating systems.
Smartphones and PDAs are no longer just 'phones' but fully featured computers with impressive processing and storage capacity. Unlike laptops, which most often come with a Windows-based operating system that makes them fairly easy to manage, the new breed of mobile devices come with a dazzling range of operating systems and functions.
So should organisations embrace new devices such as the iPad, or try to block them? Here are a few guidelines for smartphone and Apple iPad security contributed from a broad spectrum of industry experts.
Apple iPad security: No time to waste
Data and computing on the move is here to stay. Within a month of its launch the iPad had made more than a million sales. There are now more than 50 million iPhones around the world. According to mobile data market statistics from U.S.-based Chetan Sharma Consulting, 2009 marked the year when monthly mobile device data traffic overtook mobile voice traffic.
Users will increasingly carry powerful mobile devices capable of holding and transmitting large amounts of data. "Unless you pat people down as they come through the door, all these different devices are going to find their way into the company, and so potentially into your IT infrastructure," said Keith Crosley, a director at California-based email security vendor Proofpoint Inc.
David Cowan, head of security for London-based consultants Plan-Net plc, said companies have a lot of work to do.
"Not a lot of companies yet have a policy that extends to mobile devices," Cowan said. "This is partly due to the cost of implementing endpoint security across the board. But more companies have started to realise that they need to encrypt laptops, and that is a good start.
"We've come across maybe half a dozen companies that have implemented some form of port control on laptops, and full disk encryption," Cowan added, "but for a lot of other companies it is a gaping hole in their security."
The expense of implementing sophisticated endpoint controls is holding many companies back. Cowan said securing 100 users could easily cost an extra £10,000 once consultancy costs are included.
In the meantime his advice is simple: "It's probably best not to allow non-conforming devices on your network, and then enforce the policy with tools. Then if someone tries to circumvent the policy, you know about it by logging and reporting. That way, you can discipline them and prevent them from taking information out."
Assess the risk
Paul Hanley of Deloitte LLP's security and privacy team said that security controls need to be in line with the risks. For instance, organizations must decide if users will be able to load confidential information onto their devices.
"Sometimes controls will involve implementing additional security software on the device; other times it could be simple security awareness for all employees," Hanley said.
According to Nick Lowe, head of sales for Check Point Software Technologies Ltd. in Western Europe, the first step is to assess the size of the problem.
"If an IT team doesn't know that smartphones are being used, or what they are being used for, that's the real risk," Lowe said. "IT teams need to audit the usage of smartphones in their organisations -- that is all mobile devices, not just official work devices."
He suggested setting up a device identification programme that works like a gun amnesty program; the goal is to educate users about the security risks of their action and get them to own up to what they are doing without consequences, and then decide whether to allow them to continue. The IT team can then get users either to bring their personal smartphones in to IT for protection (such as encryption and antimalware) to be added, or take steps to issue "work" devices and stop the use of personal devices, according to requirements.
In effect, Lowe said, companies need to step in to protect users from themselves and ensure that mobile device security is always applied according to company policies.
Apply basic security
Crowley, Cowan, Hanley and Lowe also suggested the following:
- Ensure there is a PIN to enforce user authentication before use, and that the PIN cannot be bypassed.
- Implement timeouts so when a device is left unattended, it locks. Also ensure that passwords are used, are complex and ensure that users are locked out after a number of retries.
- If devices connect to the corporate organisation to synchronise contacts, email and calendar, ensure the communication is encrypted and there is client and server authentication.
- Check if antivirus software and a personal firewall are required on the device. Is there signature checking of code by the operating system to prevent rogue programs from running?
- Could the corporate device you provide be connected (e.g. via ActiveSync) to a home computer, or could a user connect a non-approved device to the organisation's servers or desktops? Consider whether this should be allowed or controlled. Some data leakage prevention products can now help manage this centrally.
- Ensure there a facility for remote wiping of devices if they are lost or stolen.
- Finally update acceptable usage policies for smartphones, iPads and other devices, making sure they include what they should and shouldn't be used for, procedures for reporting lost or stolen devices and consequences for not abiding by the policies.