iPad security for the enterprise still subject to debate

Some analysts say the iPad deserves an 'F' for security readiness for financial services companies and other federally regulated industries

Whether the iPad is secure enough for enterprise uses is debatable, based on a survey of several analysts and experts.

Some analysts say that with tougher data protection laws, such as one that recently took effect in Massachusetts, the iPad deserves an "F" for security readiness for financial services companies and other federally regulated industries.

[ Check out InfoWorld's review: "Apple iPad surprises, disappoints." | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

But that view contrasts with the opinion of other security professionals who give the iPad a "B" grade for overall enterprise readiness. One of them, Wolfgang Kandek, CTO for security firm Qualys, predicted today that "the iPad will make its inroad into the enterprise just by force of users, and it's going to be a really interesting conundrum for IT managers. I don't think the iPad is ready today, but it will make its way into the enterprise even as it clashes with the typical enterprise IT mentality."

The iPad will come crashing into the enterprise on the hands of average workers, the same way the iPhone did, Forrester Research analyst Ted Schadler said in a earlier blog.

Some information about iPad's security features is apparently not well-known, leading to more suspicions than the device deserves. Some industry analysts interviewed today were unaware that the iPad ships with a native IPSec VPN from Cisco Systems. One analyst said there is wide speculation on the Web that a third-party VPN would not be supported, calling into question whether data transmissions would be secure.

However, the Cisco IPSec VPN can be found in the iPad, along with a section to make settings for other L2TP and PPTP VPNs. All three are located under the setting icon and then under "networks" and likely require information from system administrators to be fully configured.

Even with the VPN for creating a tunnel to send data securely from place to place, analyst Jack Gold of J. Gold Associates questioned whether encryption of data stored on the iPad would be protected from from hackers. Gold said some experts have demonstrated the ability to hack certain versions of the iPhone, which contains earlier versions of the OS used in the iPad, and also provides data encryption.

"Some of that encryption can be worked around, which means the iPad gets an 'F' from any regulated corporation that must protect data," Gold said.

Gold said IT managers may be unaware of the stiff new Massachusetts data protection law that affects businesses working in the state and requires encryption of data on all kinds of devices. Perhaps the iPad's encryption would be sufficient to meet the conditions of the new law, but Gold said the iPad's vulnerability to the same kind of hacks used to penetrate the iPhone suggests otherwise.

Regarding that related iPhone security, Gartner released a research note in February stating that early versions of the iPhone were vulnerable to jailbreaks. Even an Apple OS 3.1.3 update with firmware revisions for late-model iPhone 3G S devices could be vulnerable to "hackers [who] may discover new access methods," the note said.

The iPad, which runs Apple's iPhone OS 3.2, presumably has the same firmware updates provided in version 3.1.3. Later in the same note, Gartner said that the iPhone 3G S also has embedded 256-bit AES hardware encryption that cannot be turned off, which nonetheless still leaves data vulnerable if the device is jailbroken or otherwise hacked.

The note also includes a series of tips for iPhone security in the enterprise, which Gartner analyst Ken Dulaney said would also apply to the iPad. The tips include some fairly standard measures such as enforcing use of pass codes and using complex pass codes, locking the device after a maximum number of password retries, enforcing device timeout to prevent theft of data when a device is unused, select disabling of YouTube, App Store, and iTunes, preventing capture of screenshots, and installing certificates for VPN use.

Despite Apple's updates and the inclusion of the Cisco VPN, Dulaney said Gartner concludes that the iPad is "not enterprise ready ... and Apple would have no problem with Gartner saying this was not enterprise ready. ... We don't endorse use of netbooks, and the iPad is in the same category. ... We don't think it has the security and manageability capabilities for offline applications and, more importantly, the support of Apple for the enterprise."

Even so, Dulaney said he knows that some companies will support the iPad, just as they have the iPhone, including companies that want to project a high-tech reputation. He also said a variety of companies will deliver applications to iPad users to stay in touch with the company's buying groups, the same way some banks internally avoided using the iPhone at first, but also built banking applications for the iPhone for their customers.

Dulaney also noted that supporting corporate e-mail via the iPad will be no different than with the iPhone. "It works ... and the security enforced by [Microsoft] Exchange is sufficient," he said.

In general, Dulaney expects some large business to support iPad applications "just because there is enthusiasm to support them. They will break their rules for security and manageability, but it is their right to do that."

Tablet computers are best suited for workers who stand or walk, Dulaney said. For any company wanting to design a touch-screen application for workers, he recommended a Windows 7 tablet instead of the iPad, since it is part of a mature and well-tested market.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld . Follow Matt on Twitter at @matthamblen or subscribe to Matt's RSS feed . His e-mail address is mhamblen@computerworld.com .

Read more about security in Computerworld's Security Knowledge Center.

This story, "iPad security for the enterprise still subject to debate" was originally published by Computerworld.


Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform