HEAT Security Blog

iPad Security Considerations For The Enterprise

Apple took a great deal of heat early on by releasing the original iPhone with little consideration for enterprise security. As a result, Apple has since built in a number of what many consider to be necessary enterprise security mechanisms into the iPad. When it comes to security, the iPad – with the right policies and technical controls – can be made a relatively secure mobile computing platform for use within the enterprise.

The iPad affords numerous enterprise security capabilities:

  • Device protection
    • Strong passcodes
    • Passcode expiration
    • Passcode reuse history
    • Maximum failed attempts
    • Over-the-air passcode enforcement
    • Progressive device protection
  • Data protection
    • Remote and local wipe
    • Encrypted configuration profiles
    • Encrypted iTunes backups
    • Hardware encryption
  • Network security
    • Cisco IPSec, L2TP, PPTP VPN protocols
    • SSL/TLS with X.509 certificates
    • WPA/WPA2 Enterprise with 802.1X
    • Certificate-based authentication
    • RSA SecurID, CRYPTOCard
  • Platform security
    • Runtime protection
    • Mandatory code signing
    • Keychain services
    • Common Crypto APIs

While the available features provide the ability to enhance iPad security in the enterprise, managing those features for a large number of iPad users could quickly become an administrative nightmare. By integrating support for Microsoft exchange, Apple gets the added benefit of Microsoft ActiveSync that can be used to automate securing enterprise iPads. By simply using Microsoft Active Sync, the iPad can be automatically configured with the necessary security mechanisms which will facilitate its use within the enterprise such as:

  1. Email message encryption
  2. Device wipe
  3. Passcode lock
  4. Autolock
  5. Automatic autowipe
  6. Protected configuration
  7. Continious refresh

A recent article detailed the mapping of security capabilities of an iPad using Microsoft Active Sync to current regulations by Forrester for the iPad. The article does a great job of affording insight into the security capabilities of the iPad and is recommended reading for anyone considering an iPad in an enterprise deployment (Figure 1).

While the security capability of current generation iPhones and iPads has come a long way, they still lack the fine-grained application controls found in the BlackBerry. For some high security environments this will be a show stopper. A real risk remains in the ability to “jail break” Apple devices which will effectively bypass all of its security mechanisms. Currently, the Millennium Copyright Act makes it legal to jail break an iPhone, however no exemption has yet been made for the iPad.

The threat of a jail break is  a serious consideration for enterprise users. (Step-by-step instructions to jail break an iPad are freely available on the Internet.)  Much of this risk could be mitigated however by simply making sure the device is included as part of an enterprise’s existing flaw remediation program. Keeping the devices operating with the most current version of available software for both the underlying Apple software and third-party applications is the best defense against software flaws that most often facilitate jail breaking.

Posted in Featured Posts, Mobile SecurityTagged ,

2 thoughts on “iPad Security Considerations For The Enterprise

  1. iPad and iPhone have a lot of good security controls in place, so when you do a desk based risk assessment based on spec sheets it looks pretty good.

    The real thing to consider is how easily can the platform be compromised due to poor quality code in the OS or standard applications installed on it.

    An attacker can “jailbreak” the ipad via a Safari flaw (dodgy link in an email, physical access to unlocked screen etc.) and bypass all of the above security controls (esp. encryption of contents)

    Not too many advisories out there for the ipad OS.

    http://secunia.com/advisories/product/31500/?task=statistics

    Lots out there for the web browser on it

    http://secunia.com/advisories/product/25519/?task=statistics

  2. Great observation and exactly the point of my post when I noted that:

    “The threat of a jail break is a serious consideration for enterprise users. (Step-by-step instructions to jail break an iPad are freely available on the Internet.) Much of this risk could be mitigated however by simply making sure the device is included as part of an enterprise’s existing flaw remediation program. Keeping the devices operating with the most current version of available software for both the underlying Apple software and third-party applications is the best defense against software flaws that most often facilitate jail breaking.”

Comments are closed.