The iOS, iPad, iPhone ... iEverything Security Conundrum
With the prevalence of Apple in the enterprise today you'd think it would be easier to lock it down.
The problem for security professionals staring at a relentless onslaught of iOS devices (iPhones and iPads) that want entree to the corporate network is this: you cannot do much at all to secure those devices. It's out of your hands. When it comes to iOS devices, it is in Cupertino you must trust.
"The iPhone and iPad create their own unique security challenges in the enterprise. You simply cannot do security in the traditional way," said security expert Michael Sutton from zScaler Labs, a Sunnyvale, CA-based security company.
Vivid proof of how deeply iOS has become embedded in enterprise is contained in Zscaler's most recent threats report that found, in the companies it looked at, that iOS now accounts for more data traffic than BlackBerry and it is well over double the volume of Android.
The recent Zscaler traffic numbers are:
"Securing iOS has emerged as a prime challenge for enterprise IT," added Sutton. "You cannot do things the way you are used to.."
The reason is simple: iOS architecture effectively banishes antivirus software. Apps are sandboxed and one app cannot intrude on another. This eliminates the ability to run antivirus in the background. And one app cannot access another's data under most circumstances (some exceptions apply to Apple's own apps).
It gets worse from the perspective of traditional IT responses to security on the fly. Also effectively precluded from running on iOS are firewalls, said Peter Silva, technical marketing manager at F5, a network security company headquartered in Seattle.
What's required, said Silva, is a whole new approach to safeguarding enterprise data. He pointed out that it was not that many years ago when enterprise IT successfully confronted a similar situation when laptop toting executives demanded remote access to corporate networks.
Initially, IT fought the requests. If security were the only issue, barring that access was the right choice. But, eventually, business use cases emerged triumphant and IT responded with VPNs and firewalls that let remote users access the data they needed without jeopardizing the whole of the network (well, at least in well-designed networks).
Enterprise IT, suggested Silva, is at a similar crossroads with iOS devices but, quite probably it again will emerge triumphant, he predicted.
"Good security now starts with 'trust no devices.' None," said Silva. His advice is that, at every turn, enterprise IT needs to validate each user before allowing access. IT also needs to validate what files/information this user is allowed to access with their device so that an employee calling in with an iPhone might well be granted reduced access privileges.
That's a call IT has to make but good security starts by knowing that is IT's call to make, suggested Silva. "How much access should this user get now? That's become the key question."
Exactly what more can IT do with a network overrun with iOS devices? Actually quite a lot, suggested John Engels, a manager with Symantec's Mobility Group. "Make sure users have updated to the most recent OS." Apple makes regular improvements and un-updated devices just are more vulnerable.
"Don't allow jail-broken devices into the network," he added. This is because there are increasing instances of highly destructive malware that targets only jail-broken iOS devices and, said Engels, letting those devices on the enterprise network is a fast track to trouble.
Sutton at zScaler said that, in his company's view, the key to securing the network -- particularly when iOS devices are present -- is to shift focus from the device to data in transit. "What the security team now has to do is inspect data in transit. We inspect all traffic to/from all devices on the network. That's how to do security now."
That's a radically different model but, as the mobile security experts suggest, IT has no choice but to embrace radical difference once iOS devices are granted entry.
This brings up a last question that demands asking: Should Apple be pressured into permitting antivirus apps on iOS? Nick Arvanitis, a security expert with Dimension Data, a network security company headquartered in South Aftica, said it just is hard to see how antivirus apps would work on iOS and that is why the cure is to look elsewhere when it comes to securing today's enterprise network.
"I am not sure what iOS antivirus software would do," said Arvanitis. "I don't see any value add in running antivirus software on iOS."
A busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.