Guide to iPad Security & MDM in the Enterprise
While iPads and other tablets offer the promise of major productivity gains in the enterprise, they can also introduce some pretty big security issues. Here's how to tackle those challenges.
As iPads continue to make their way into the enterprise, security is an increasingly significant concern – a recent study by Context Information Security suggested that the iPad is dangerously vulnerable to jailbreak attacks, and that the device’s disk encryption is ineffective without the implementation of a strong passcode policy.
In a white paper entitled Tablets in the Enterprise: A Hard Pill to Swallow? [PDF file], Context Information Security principal consultant Jonathan Roach offered some basic suggestions for improving iPad security in the enterprise, including ensuring that firmware is kept up to date, enforcing an alphanumeric password of eight characters or more, and disabling connection to iTunes via device policy.
While those might seem like fairly obvious steps to take, Andrew Borg, research director for enterprise mobility at the Aberdeen Group, says a recent Aberdeen survey found that more than 50 percent of respondents in the U.S. say “anything goes” with regard to tablet deployments in the enterprise.
“What that means to us is that they are not compliant with policy – there is no management overlay over the devices … and that’s exposing their organizations to significant risk,” he says.
Assessing iPad Security Risk
In many cases, Borg says, tablets present a greater risk to the enterprise than smartphones, because they’re more often integrated into back-end data sources than personal smartphones are. “Tablets are more likely to have sensitive data … and the fact that they’re not managed as diligently as one would hope is cause for concern,” he says.
Aberdeen recently chose 13 statutes and regulations affecting a wide range of companies, then asked companies the maximum financial risk their organization would face from a single compliance lapse, or from a lost or stolen device. “On average, on the low end, it was about $10,600 per compliance lapse," Borg says. “At the high end, it was $491,600 and change. That’s from a single lapse.”
As a result, while Aberdeen recommends the use of tablets according to the best practices that it’s been documenting for several years, Borg says it’s crucial to put the right systems in place as well.
“Those best practices incorporate not just mobile device management, because that's a focus on the device, but what we call enterprise mobility management, which is a focus on the whole mobile ecosystem,” he says. “It includes procurement, deployment, support, security of course, content management, data loss prevention, decommissioning, and end of life.”
Implementing an MDM Solution
The challenge in implementing such systems, Borg says, lies in the fact that adoption of tablets isn’t typically being led by the IT department. “It’s coming in by line of business in many cases,” he says. “An executive gets one for the holidays and brings it in and says, ‘This is an incredible productivity tool. Give it to everyone in sales.’ … And so IT is just running around without additional budget, without additional resources, expecting to somehow protect the organization and its assets.”
And so, in implementing a mobile device management (MDM) or enterprise mobility management (EMM) solution, Borg says it’s best to use a carrot-and-stick approach. “It can’t be all carrot – that is, everything’s sweet and easy and it’s all incentive – and it can’t be all stick, which is, we control it and it’s all about what the organization will insist upon,” he says. “There needs to be a balance.”
In many cases, Borg says, e-mail offers an ideal carrot. “If you want access to e-mail on your personal device, your device must be compliant with our policy … E-mail is sort of like the gateway drug for mobility,” he says. “Once you’ve got e-mail, sooner or later you’ll have access to everything. So keeping that carrot-and-stick approach, ‘If you want it, here’s what you’ve got to do,’ actually simplifies life a lot.”
Selecting an MDM Provider
In choosing an enterprise mobile device management or enterprise mobility management provider, Borg says it’s worth keeping in mind that there are five basic ways of implementing an MDM solution:
- Hosted on-premises behind your firewall
- Hosted on-premises but managed by a third party
- Hosted by a third party on their premises but managed by you remotely
- Hosted by a third party and managed by them
- Hosted in the cloud as a service
If a company already has a preference for one of those models, that will make the vendor selection process much easier. “Not every vendor, for example, has a hosted cloud service,” Borg says. “Not every vendor has a fully managed service. … So when it comes to the full landscape of the solution and service providers for EMM, it does get narrower once you decide what service model works best for you.”
Borg says many IT departments have already gone through this decision-making process. “The nice thing is, this is not a new question for IT,” he says. “IT has been dealing with this since client-server computing first came along … where are things sitting, and where are they accessed? So this is not a new problem, and chances are there’s already a policy in place.”
Hybrid BYOD Model
In taking control of the risk presented by iPads and other tablets in the workplace, Borg offers what may seem like a radical suggestion. “What I recommend [companies] consider is going back to a centrally procured model for tablets,” he says. “There’s no reason to say that because BYOD is the policy for smartphones that it has to be the policy for tablets. The way we look at it is that tablets are an eventual replacement for the laptop – they’re not a replacement for the smartphone.”
That doesn’t mean employees can’t keep personal content on those tablets, Borg says. “That is feasible, as long as the device itself is locked down and managed appropriately according to the policies of that organization … But if the organization’s not able to set up that device to where those policies can be enforced, that’s where the problems come,” he says. “And that’s much harder to do with a BYOD model.”
So a hybrid model can be a good solution. As an example, Borg mentions a healthcare provider that allows employees to bring in their own devices – as long as the devices are purchased through a company plan. “They’re purchasing it, and they own it, but the organization gets to pre-configure it before they ever get their hands on it,” he says. “The employee gets to own it and take it away, but now the organization can protect their own data on that device.”
Protecting the App
Another way to approach the problem of managing iPad security, according to Gartner research director Eric Ahlm, is to focus on protecting the application and the data rather than the device.
“If I can’t secure the device to the level that I’m accustomed to, can I at least put advanced controls around the content that I care about? That’s an approach that I’m seeing investigated, and that we talk actively about with our customers,” Ahlm says.
Depending on the vendor, that can be called mobile application protection or advanced application protection. “I can take an application that’s well-written but maybe not hardened from a security standpoint, and in an IT shop, not a development shop, I can wrap that app and do all sorts of advanced policies – passwords just for that app, encryption just for that app, I can wipe just that app and not your whole device if you’re terminated or lost the device,” Ahlm explains.
That can be a great solution for a device like an iPad, particularly in a BYOD environment. “Because I’m putting the security on the app, I can control what’s on the app even if I can’t control the device-level security as much as I would like,” Ahlm says. “So that model of wrapping apps has a lot of appeal in the world of personalized devices … Wrapping the app does a lot for protecting what the corporations care about, without interfering with a personal device, or interfering with the user experience on something they don’t own.”