The tablet is becoming a favourite electronic companion for users, and that’s what scares some IT security people....
They see tablets proliferating outside of their control, being used to access work applications as well as untested apps downloaded from the Internet.
Lost or stolen tablets may also hold confidential corporate information, or provide thieves with the chance to access corporate accounts, but are fears about tablet security issues justified?
Established security policies should suffice
According to Jamie Marshall, head of IT solutions at Equanet, a systems integrator located in Bury and owned by Dixons Retail, much of the anxiety over tablets is misplaced. “There is a preconception that because these devices are so usable, and always on, they are inherently insecure. But once people understand how security works on tablets, they don’t see it as a problem,” Marshall said.
It's irrelevant if it is your own device.
If users are accessing corporate data, the rules
the corporate policies.
BT Global Services
Marshall argued the iPad’s on-board encryption, for instance, makes it very secure. “All you need to do as a corporation is enforce a strong passcode policy on users. If the device is lost, other people can’t get into it, and you can do a remote wipe.”
Enforcing policies on tablets, however, can be complicated because the different platforms work in different ways. The task can be eased by using a mobile device management (MDM) system, which allows administrators to set policy and apply that policy across multiple device platforms. Equanet uses Airwatch for its own staff; other MDM vendors include Good Technology, MobileIron and Sybase.
Marshall said if companies issue devices to employees, they have a clear right to enforce their security policies, but if users are allowed to connect their own equipment, control may be harder to achieve.
However, even when the device is user-owned, Marshall still advises bringing it under MDM control so strong passcodes can be enforced. “You should also make users aware that if they use the device for work and they decide to leave, you have the ability to wipe it. That needs to be done by agreement,” he said.
Worrisome tablet security issues
Some people are less sanguine about the threat posed by tablets. “Tablets are still relatively immature as a technology,” said Phil Robinson, a director at London-based consultancy Digital Assurance. “They don’t have as many patches and updates, and the update cycle is not as frequent as for Windows. Also, the user has a high level of privilege on the device.”
Rob Newburn, head of information security at York-based Trustmarque Solutions, agreed. “A lot of these devices were never designed for business,” he said. While mobile viruses are still a small threat to tablets, he added, the biggest threats for tablets are data leakage and loss of productivity.
Ian Kilpatrick, chairman of Woking-based security product distributor Wick Hill Group, compares the current situation with that of remotely connected laptops 10 years ago. “Just as when we first got the laptop PC, the application drives the operation, and then security follows behind and tries to tidy up,” he said. “Some companies have implemented a bit of security, but they don’t have a coordinated policy and therefore can’t manage the whole problem. They give employees access to the network so they can read their email, and then employees use that access to get to other systems.”
Charting a course for tablet security
Everyone seems to agree that tablets – in all their different flavours – are here to stay and will have to be supported eventually. The worst a company can do is ignore the trend, because that will only encourage the introduction of tablets by the back door, said Ray Stanton, VP professional services at London-based BT Global Services.
“If the policy is to allow tablet use, then introduce the same security policies and enforcement as you would on a laptop computer,” he said. “It's irrelevant if it is your own device. If users are accessing corporate data, the rules revert to the corporate policies, irrespective of what they have accessed it from.”
Some major companies are managing to combine the delicate balance between freedom of use, and tight control of data. For example, networking giant Cisco initiated a Bring Your Own Device (BYOD) policy back in 2009, and according to the company’s UK CTO Ian Foddering, uptake has been enthusiastic around the world.
More than 17,000 Cisco employees use their own smartphones for work, and Cisco is seeing 400 new iPads added each month by employees who prefer to use their own device than the company-issued laptop. Users registering their equipment download a VPN client for connecting with corporate data, and they must also sign a disclaimer that allows Cisco to wipe the machine remotely if it is lost or compromised.
Furthermore, users have to support themselves, so all technical problems are sorted out between users in an online forum. “We’ve seen a 20% decrease in the number of help desk cases, because of self-support,” Foddering said.
It is clear the old locked-down, standard-build approach to mobile devices is fast becoming outdated. This is a new and fast moving industry; the iPad’s European launch was only 18 months ago, in May 2010. Both Apple and Google are working to make their products easier to manage and secure, and technology vendors are rushing to provide ways of managing the new devices.
In the meantime, security people will just have to do the best they can. “These devices have come on to the market very quickly, and with relative disregard for security. Now there’s a risk users will bring that disregard into the workplace. “We have to go through an education process with users,” said Newburn of Trustmarque Solutions. “It’s a basic security decision. If the risks outweigh the business benefits, don’t allow it. If the benefits outweigh the risks and you can mitigate them to an acceptable level, then go ahead and embrace tablets.”