Improving Ipad Enterprise Management: Security Primer

E-Guide

Improving iPad enterprise management: Security primer

The iPad is quickly becoming the tool of choice for many enterprise employees, but they are also a favorite target for hackers, making iPad security a top concern among security pros. This expert e-guide explains the best way to meet iPad demand within the confines of the enterprise.

Sponsored By:

SearchSecurity.com E-Guide Improving iPad enterprise management: Security primer

E-Guide Improving iPad enterprise management: Security primer Table of Contents

Understanding iPad security concerns for better iPad enterprise management

Resources from GroupLogic

Sponsored By: Page 2 of 7 SearchSecurity.com E-Guide Improving iPad enterprise management: Security primer

Understanding iPad security concerns for better iPad enterprise management

The iPad, like the iPhone, is rapidly becoming many enterprise employees’ tool of choice, but the dramatic increase in the number of Apple devices in circulation means they are becoming an increasingly popular target for hackers, thus increasing iPad security concerns among IT security pros.

So, what's the best approach for enterprises to satisfy the demand for iPad access within the confines of the enterprise? Or should they simply be banned outright? That’s what we’ll discuss in this tip.

To set the context for the discussion, enterprises should establish a clear policy for allowing iPad access to the corporate network. Any enterprise-owned iPad should obviously be deployed with security measures already in place, many of which are discussed below, but employee-owned devices should not be granted access unless their owners consent to the security policy and controls deemed necessary to protect corporate data that could be accessed on or via the device.

The iPad protects any data stored on it with 256-bit AES hardware-based encryption, which is always enabled and cannot be disabled. (Data backed up in iTunes to a user’s computer can also be encrypted.) It supports VPN technologies, such as Cisco Systems Inc.’s IPSec VPN, L2TP and PPTP; authentication can require an X509 digital certificate or a two-factor token such as EMC Corp.’s RSA SecurID or CRYPTOCard tokens from CRYPTOCard Inc. Preventing unauthorized access is your front line of defense for mobile devices, so if your enterprise doesn't use two-factor authentication, then data security is heavily dependent on the level of password protection you enforce.

Password policy can be configured and enforced on an iPad via Microsoft Exchange, which is still the most common method for managing passwords without requiring user interaction, pushed over the air without any action required by the user, or distributed as part of a configuration profile for users to install. All of the following settings should be used: timeout periods, password strength, password-change interval and maximum failed password attempts. Other policy settings can determine which iPad features your users can access,

Sponsored By: Page 3 of 7 SearchSecurity.com E-Guide Improving iPad enterprise management: Security primer

such as Safari and YouTube, as well as actions like application installation and access to explicit content. Configuration profiles are XML files that can be both encrypted and locked so the settings cannot be removed or altered.

Users and administrators can initiate a remote-wipe command to erase data, should the iPad be lost or stolen; an essential contingency for any mobile device that's going to be part of an enterprise network. The free Find iPhone app can also be used to locate or lock and wipe a lost iPad. These basic features make the iPad a robust tool if they're all used, but the main concern has to be physical theft due to the device’s small and desirable form.

It doesn't matter whether you treat the iPad as an oversized smartphone or a netbook; you need an acceptable usage policy. Phishing attacks are platform agnostic, so your general security awareness training will already cover this and other topics, such as limiting the amount of confidential data stored, but additional training on avoiding fake Wi-Fi hotspots (to which an iPad may automatically connect) and good physical security should be revisited. More specifically, iPad users should be given instruction on how to safeguard the device when traveling and working out of the office, such as never leaving it unattended, locking it the trunk of their car when driving, and using a motion sensor, a small but piercing alarm set off whenever it's moved.

The inability to run applications in the background means traditional antivirus software can't be installed on the iPad, so users have to be extra vigilant in not opening unexpected links or attachments. Policy should not allow any apps to be installed without passing a full review, trial and approval process by the organization’s IT or security teams, with close attention given to what data and connections any application uses.

The level of network access granted should be based on the iPad's physical location and type of connection: inside or outside the corporate network, or through a VPN. This will add protection against users not following corporate policy and thieves using a stolen device. Administrators also need to closely follow Apple and security research announcements on new vulnerabilities and fixes. The iPad runs the same OS as the iPhone, so it will be vulnerable to the same kind of hacks used to jailbreak the iPhone.

Sponsored By: Page 4 of 7 SearchSecurity.com E-Guide Improving iPad enterprise management: Security primer

Organizations that don’t use Microsoft Exchange should look at enterprise product vendors who have built support for the mobile device management capabilities of iOS 4 into their products, like McAfee Inc.’s Enterprise Mobility Management, MobileIron Inc.’s Advanced Mobile Device Management and Mformation Technologies Inc.’s Mformation Service Manager. These products provide the ability to securely enroll devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock managed devices.

However, if you're happy with the level of security enforced by Microsoft Exchange, then with a few refresher courses on security awareness there's no reason why the iPad and its users can't be a happy and productive part of your enterprise.

Sponsored By: Page 5 of 7 www.grouplogic.com SearchSecurity.com E-Guide Improving iPad enterprise management: Security primer

Resources from GroupLogic

Start your free trial of mobilEcho today

Watch a short video addressing mobile security

About GroupLogic

GroupLogic’s proven software products help enterprise IT organizations enable enterprise users to connect, communicate and collaborate in an easy to manage and secure environment, regardless of platform. GroupLogic delivers easy-to-install, affordable products that integrate existing and emerging platforms and devices into the IT ecosystem, so IT organizations can differentiate competitively, improve employee productivity, mitigate risk and reduce IT hardware costs.

The company is committed to bringing to market products that seamlessly integrate Macintosh and other third-party devices into Windows-based enterprise infrastructure.