Wednesday 7 March 2012

The problem of Securing the New iPad 3 within Business

Apple announced the latest edition of their fantastic iPad today, not only is this device irresistible for consumers, but it has become irresistible for business.  This presents a new challenge for information security professionals, as the iPad has been bred for consumerization not for business usage, yet the business application capability of tablets are undeniable. Within main stream businesses up and down the land a change is afoot, it is no longer about giving the odd few magpie like senior executes the latest shinny new toys, as there is an unquenchable thirst for Apple’s latest tablet gadget emanating across entire businesses.
This is not a time to have heads buried in the sand and wishing for risk aspects of business usage of tablets to go away, the tablet is coming to a business near you. In a few years from now they will be as common place on office desks as laptops, and will be smugly grasped by the majority of attendees within meeting rooms. But let us not forget, a corporate used and connected iPad will have the very same type of confidential information to that of a corporate laptop, therefore you would expect the same policies and controls to apply, right? Well perhaps not.
The information security problem is not a problem of control even though iPads are a consumer led invention, as there are third party solutions from the likes of MobileIron which can centrally enforce security controls on iPads within the enterprise. No, it is a problem of risk acceptance.
One of the key fundamental appeals of a tablet is its accessibility, namely it’s “pick up and go” ease of use. But in applying best practice mobile device information security policies and controls to tablets, we find this seriously starts to hinder the device’s accessibility. This trade off kills a key advantage of having the device in the business in the first place. For example a typical best practice mobile device information security policy applied to laptops, which is typically centrally enforced in large businesses, requires users to have an at least 8 character password consisting of upper/lower case alpha, numeric and special characters, and an automatic password lock timeout of ten minutes when the laptop is unused.  We could use a third party solution within the enterprise to enforce the same mobile device policy onto the business’s iPad estate. However in forcing a complex long password to be entered every time someone picks up their iPad, will no doubt be a trade off too much to stomach by many, as it kind of defeats the advantage of having an iPad in the first place.
So what if we were to weaken the mobile security policy to accommodate a better accessibility of iPads, for example enforcing 4 digit passcode with a 30 minute lockout. The question now is shouldn’t the same policy now apply to the laptop and desktop estate as well? I don’t have the answer, and there isn’t really a best practice business tablet security standard to follow at present, so it would come down to a business’s own risk assessment, and ultimately risk acceptances. As this is a business decision, and it was the business that decided to considerably invest cost in bringing the tablets into the enterprise in the first place, it is more than likely we will see security policies and enforced controls will be more relaxed on iPads than on laptops.  Hats off to any security manager which maintains the same mobile device standard on iPads and laptops. I think accepting lack security controls on tablets will be more the typical approach taken by business. The lack of IT enforcement on the iPads transfers risk over to the user, the problem here is most businesses still don’t do employee security awareness very well.