Modernizing Authentication — What It Takes to Transform Secure Access
As iPads continue to make their way into the enterprise, security is an increasingly significant concern – a recent study by Context Information Security suggested that the iPad is dangerously vulnerable to jailbreak attacks, and that the device’s disk encryption is ineffective without the implementation of a strong passcode policy.
In a white paper entitled Tablets in the Enterprise: A Hard Pill to Swallow? [PDF file], Context Information Security principal consultant Jonathan Roach offered some basic suggestions for improving iPad security in the enterprise, including ensuring that firmware is kept up to date, enforcing an alphanumeric password of eight characters or more, and disabling connection to iTunes via device policy.
While those might seem like fairly obvious steps to take, Andrew Borg, research director for enterprise mobility at the Aberdeen Group, says a recent Aberdeen survey found that more than 50 percent of respondents in the U.S. say “anything goes” with regard to tablet deployments in the enterprise.
“What that means to us is that they are not compliant with policy – there is no management overlay over the devices … and that’s exposing their organizations to significant risk,” he says.
Assessing iPad Security Risk
In many cases, Borg says, tablets present a greater risk to the enterprise than smartphones, because they’re more often integrated into back-end data sources than personal smartphones are. “Tablets are more likely to have sensitive data … and the fact that they’re not managed as diligently as one would hope is cause for concern,” he says.
Aberdeen recently chose 13 statutes and regulations affecting a wide range of companies, then asked companies the maximum financial risk their organization would face from a single compliance lapse, or from a lost or stolen device. “On average, on the low end, it was about $10,600 per compliance lapse," Borg says. “At the high end, it was $491,600 and change. That’s from a single lapse.”
As a result, while Aberdeen recommends the use of tablets according to the best practices that it’s been documenting for several years, Borg says it’s crucial to put the right systems in place as well.
“Those best practices incorporate not just mobile device management, because that's a focus on the device, but what we call enterprise mobility management, which is a focus on the whole mobile ecosystem,” he says. “It includes procurement, deployment, support, security of course, content management, data loss prevention, decommissioning, and end of life.”
Implementing an MDM Solution
The challenge in implementing such systems, Borg says, lies in the fact that adoption of tablets isn’t typically being led by the IT department. “It’s coming in by line of business in many cases,” he says. “An executive gets one for the holidays and brings it in and says, ‘This is an incredible productivity tool. Give it to everyone in sales.’ … And so IT is just running around without additional budget, without additional resources, expecting to somehow protect the organization and its assets.”
And so, in implementing a mobile device management (MDM) or enterprise mobility management (EMM) solution, Borg says it’s best to use a carrot-and-stick approach. “It can’t be all carrot – that is, everything’s sweet and easy and it’s all incentive – and it can’t be all stick, which is, we control it and it’s all about what the organization will insist upon,” he says. “There needs to be a balance.”
In many cases, Borg says, e-mail offers an ideal carrot. “If you want access to e-mail on your personal device, your device must be compliant with our policy … E-mail is sort of like the gateway drug for mobility,” he says. “Once you’ve got e-mail, sooner or later you’ll have access to everything. So keeping that carrot-and-stick approach, ‘If you want it, here’s what you’ve got to do,’ actually simplifies life a lot.”
Selecting an MDM Provider
In choosing an enterprise mobile device management or enterprise mobility management provider, Borg says it’s worth keeping in mind that there are five basic ways of implementing an MDM solution:
- Hosted on-premises behind your firewall
- Hosted on-premises but managed by a third party
- Hosted by a third party on their premises but managed by you remotely
- Hosted by a third party and managed by them
- Hosted in the cloud as a service
If a company already has a preference for one of those models, that will make the vendor selection process much easier. “Not every vendor, for example, has a hosted cloud service,” Borg says. “Not every vendor has a fully managed service. … So when it comes to the full landscape of the solution and service providers for EMM, it does get narrower once you decide what service model works best for you.”
Borg says many IT departments have already gone through this decision-making process. “The nice thing is, this is not a new question for IT,” he says. “IT has been dealing with this since client-server computing first came along … where are things sitting, and where are they accessed? So this is not a new problem, and chances are there’s already a policy in place.”
Hybrid BYOD Model
In taking control of the risk presented by iPads and other tablets in the workplace, Borg offers what may seem like a radical suggestion. “What I recommend [companies] consider is going back to a centrally procured model for tablets,” he says. “There’s no reason to say that because BYOD is the policy for smartphones that it has to be the policy for tablets. The way we look at it is that tablets are an eventual replacement for the laptop – they’re not a replacement for the smartphone.”
That doesn’t mean employees can’t keep personal content on those tablets, Borg says. “That is feasible, as long as the device itself is locked down and managed appropriately according to the policies of that organization … But if the organization’s not able to set up that device to where those policies can be enforced, that’s where the problems come,” he says. “And that’s much harder to do with a BYOD model.”
So a hybrid model can be a good solution. As an example, Borg mentions a healthcare provider that allows employees to bring in their own devices – as long as the devices are purchased through a company plan. “They’re purchasing it, and they own it, but the organization gets to pre-configure it before they ever get their hands on it,” he says. “The employee gets to own it and take it away, but now the organization can protect their own data on that device.”
Protecting the App
Another way to approach the problem of managing iPad security, according to Gartner research director Eric Ahlm, is to focus on protecting the application and the data rather than the device.
“If I can’t secure the device to the level that I’m accustomed to, can I at least put advanced controls around the content that I care about? That’s an approach that I’m seeing investigated, and that we talk actively about with our customers,” Ahlm says.
Depending on the vendor, that can be called mobile application protection or advanced application protection. “I can take an application that’s well-written but maybe not hardened from a security standpoint, and in an IT shop, not a development shop, I can wrap that app and do all sorts of advanced policies – passwords just for that app, encryption just for that app, I can wipe just that app and not your whole device if you’re terminated or lost the device,” Ahlm explains.
That can be a great solution for a device like an iPad, particularly in a BYOD environment. “Because I’m putting the security on the app, I can control what’s on the app even if I can’t control the device-level security as much as I would like,” Ahlm says. “So that model of wrapping apps has a lot of appeal in the world of personalized devices … Wrapping the app does a lot for protecting what the corporations care about, without interfering with a personal device, or interfering with the user experience on something they don’t own.”
Right Amount of Control
In choosing an MDM provider, Ahlm says, consider how much control you really need.
“Do you need a heavy or feature-rich mobile device management software? Maybe so, if you own the device and you have high security requirements,” he says. “If you’re somewhere in the middle, if you have a flexible mobile device policy, maybe a lightweight MDM … might be a good model. On the other end of the spectrum, if it’s a totally-your-own-device model, I’m probably going to be looking less at MDM functionality. Maybe I don’t have any MDM functionality at all; maybe I’m just wrapping my apps.”
One company that’s keeping things simple from that perspective is the GoodLife Team. Krisstina Wise, founder and CEO of the Austin, Texas-based real estate firm, says she realized soon after she first bought an iPad that it could be a perfect solution for real estate agents in the field. “We’re very mobile, and iPad made my job easier,” she says. “It enabled me to transact without having to go back to the office, and it enabled me to do my job better because it enabled me to be paperless.”
Wise soon required her entire sales team (approximately 15 people) to purchase their own iPads for use at the firm. While she faced some initial resistance to the idea, she says it’s had an enormously positive impact on the firm as a whole. “It’s enabled them to provide a better experience with their clients, and to do their job better … and now we’re even teaching other agents across the country how to do what we do as well,” she says.
Because the firm’s real estate agents are all independent contractors and have purchased their own iPads, Wise says there hasn’t been a need for a mobile device management solution. Instead, they simply use apps like Evernote and Cartavi to record and securely share key data. “They have all sorts of security protocols in place … So my advice would be to make sure to work with the companies or apps that are very obvious about wanting to keep the data protected,” she says.
Lessons from a Larger iPad Deployment
For larger enterprises, though, that level of simplicity likely won't be enough. Security company ADT currently has more than 4,500 sales reps using iPads. Company vice president Joseph O’Connell says the device is a great solution, both for supporting CRM functionality and for allowing sales reps to demonstrate the functionality of the company’s ADT Pulse offering.
O’Connell says the company is actively working to increase the number of ways its salespeople can leverage the devices, with plans to add electronic order entry and scheduling, among other capabilities. “We would like to take this thing from soup to nuts – from the lead coming in over the phone, to the appointment being set, to the sales rep running the appointment, the presentation, the pricing piece, the order entry piece, the install scheduling. That’s our vision, to get it all the way through.”
Still, Natalie MacDonald, information technology director at ADT, says the company’s iPad deployment immediately presented several basic challenges for IT. “It’s a very attractive device, so we knew they were going to be potentially high-theft items,” she says. “We want to make sure our sales team members are treating the devices with care.”
MacDonald says several back-end processes had to be developed from scratch as well. “We had to manage the whole logistics of purchasing, of dispensing, of returning. We had to build a whole logistical process around the iPads, where we never had one … Instead of someone sitting in an office and waiting for days, we wanted to make sure it was very efficient to have them in stock, to be able to wipe them like you would a PC, and re-issue them and ship them to people that are out in the field,” she says.
The company worked with Dell to manage logistics for its sales force. “They built a whole depot to bring in these devices and manage the asset in our systems for us – and do the shipping, do the refurbishment, and send out to an external third party for repairs … That was all set up and facilitated by internal resources but with Dell as our partner, as an extension of our regular helpdesk,” MacDonald explains.
Finding the Right MDM Fit
After evaluating several mobile device management solutions for the iPad, MacDonald says, ADT settled on MobileIron. “It allows us to do some nice things, like create a catalog of recommended and controlled apps,” she says. “We do it at that level, and then we blacklist some apps we don’t want them to have. As opposed to saying, ‘These are the only apps you can download,’ we tried to keep it really open, because it’s more empowering from that perspective. … That’s fostered a lot of innovation and collaboration as reps find new apps and learn from each other.”
In selecting an MDM provider, MacDonald suggests, the key is finding a company whose strengths match your needs. “Not everyone has all the tools. … We were working with another provider, and they just didn’t have the email capabilities to connect with our corporate email environment, which we needed at the time,” she says. “They were developing them, but MobileIron already had them … It’s a give-and-take, and they’re all catching up. That’s just the immaturity of the market and the device itself.”
With physical security, MacDonald says ADT is ultimately more concerned about protecting any data on the iPads than preventing loss or theft of the devices themselves. “As soon as something’s reported, we wipe it. We’d rather lose the asset than lose the data and lose any intellectual property on it,” she says. “We have started to look at processes to make people more accountable to the loss, especially if we think the loss is an employee theft or something like that … We’re starting to put some responsibility there.”
Breakage and other damage has proven to be a far greater concern than theft or loss, MacDonald says. “We decided to go with more of a professional look than a rugged look on the iPad, so we didn’t do Otterbox-like covers. We did more of a professional, branded look. While it does protect them to a point, we’re learning as we go that we have to continually infuse responsibility, that even though this is a corporate-provided device, that you have to have some accountability to take care of it,” she says.
Learning from Others
One problem presented by iPads lies in the fact that you can’t manage them remotely to the same degree that you can a PC. You can’t just push out patches, for example.
“A lot of what we have to do is develop processes around instructing people and a whole way to communicate with the field to make sure things are happening,” MacDonald says. “We can monitor things and see where things are at with our MDM tool, but we can’t push updates. And the devices are not multi-user devices, so when a rep goes away, we have to wipe the thing and start over. We can’t just create a new profile on that device.”
Any company considering a similar iPad deployment, MacDonald suggests, should take the time to meet with others who have done it before. “We thought we knew what we were doing, but we certainly learned a lot just by default. I’ve been able to share that within our own company to some other business units … I would work with others that are similar to what you’re trying to do, to understand the pitfalls of what they ran into,” she says.
It’s also crucial, MacDonald says, to anticipate speedy changes, both in the devices themselves and in the management tools for those devices.
“We tend in IT to think of our investments as being 10-year investments in a technology -– and we’re seeing things with mobile tools and mobile applications that didn’t even exist two years ago,” she says. “We have to get out of the mindset that things are going to last 10 years. In two years, you might be doing something completely different … So try to stay really agile, learn from others, and evaluate your selection based on what you have to have.”
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.
Photo of businessman with tablet from Shutterstock.