As Tablets Flood the Enterprise, Security Rushes to Catch Up
By Ben Halpert
When Apple iPads were first introduced to the market, large enterprises did not jump at the opportunity to replace their current deployments of laptops and other mobile computing platforms. Tablet personal computers (PCs) had been around for years prior to the debut of the iPad. Most tablet PCs were based on established operating systems (or smaller, yet related, operating systems).
Tablet PCs, slate PCs, and all the other incarnations of various mobile computing devices all promised to be the next great innovation for the ever-mobile workforce of the day. Many of the products were successful while others looked better on paper than they performed in real-world scenarios (I have tested my fair share of devices over the years).
So when the Apple announcement came out in early 2010 about the release of the iPad, why didn’t enterprises line up to buy them out of the gate? There were several reasons, many of which are still cited today: interoperability with existing deployed technologies, security of the data and the device itself, lack of a defined business case for deployment and support versus investment, among others.
So what happened? iPads showed up in the workplace anyway! Without employer funding or an enterprise business case, individual employees went out to the Apple Store and stood in line to buy an iPad (and subsequently the iPad 2). The reasons for purchase varied: being the first to have the latest technology product, dedicated Apple fans who always buy the latest Apple product, people looking for new ways to interact with technology and media, folks looking for an electronic babysitter for their children (a big NO-NO!), and employees striving to be more productive at work.
The aforementioned is by no means a complete list. If you want to learn more about what drives people to purchase iPads, bring snacks to offer and ask the consumers waiting in line for the launch of the next iteration; it should make for an educational and entertaining experience.
Now that we all agree that personal-liable tablets are here to stay, let’s talk security. As an enterprise, it is still your responsibility to ensure that sensitive information, such as Personally Identifiable Information (PII), protected health information (PHI), and other data classification categories is protected as required for your particular industry.
The BlackBerry PlayBook is the easiest device to address from a security perspective. Research in Motion’s tablet leverages a BlackBerry smartphone to ensure the security of the corporate data that is synced via a BlackBerry Enterprise Server (BES). The data is displayed on the PlayBook, but not stored on the device. So a lost or stolen tablet affects the loss of the dollar value of the device and relieves you of worrying that sensitive information that may be stored on another manufacturer’s device.
In a Microsoft Exchange environment, your organization can manage the password requirements, policy enforcement, restrictions, and other security options available on an Apple iPad. But be warned: now that Apple products have gone mainstream (yeah, sorry to break it to you) they increasingly are being targeted by individuals with malicious or other intent.
The latest of such exploits was the disclosure of a tool that allows anyone to bypass the encryption used to secure the data on an iPhone or iPad device. The tool is being made available by ElcomSoft
and allows for passwords to be recovered and exposes device keys and keychain items—all the while never leaving a trace that anyone interfered with the iPad or iPhone. If you are interested in learning more about why the security in the Apple iPad can only provide a minimum level or assurance around data protection, read about the security issue on the ElcomSoft
Here is a list
of affected devices.
If you use Google Apps in your enterprise, you can leverage several security features available through the Google Apps administrator control panel. A new security feature that came after the Android 3.0 (Honeycomb) release enables tablet storage encryption. The Google administrative settings require the Android tablets to use the Google Apps Device Policy
application on the tablet. Capabilities include password requirements, remote wipe, and policy enforcement.
If you run a Microsoft Exchange environment, you can also leverage TouchDown
, which provides a more comprehensive security solution set for your Android tablets. One of the enhanced security capabilities is the ability to encrypt e-mail attachments that are saved to the SD card. Since anyone can physically remove an SD card from a password-protected tablet, the attachments stored on the SD card are encrypted to protect the confidentiality of the data.
An end-user perspective
Pat Smith, CIO of Our Kids of Miami-Dade/Monroe
, is considering deploying tablets to the organization's field-based social workers. These employees currently use ruggedized laptops that are nearing the end of their lifecycle, she says. Our Kids has conducted focus groups with field employees and so far, results show that the iPad isn’t resonating well. “They want something with a smaller size that’s more discreet. They want a device that’s somewhere between a BlackBerry and an iPad,” she explains.
Although the enterprise hasn’t yet selected its tablet of choice, Smith says her team is already considering potential security solutions. “SOTI MobiControl is making its way to the top of our list,” she says. “It seems like it does what a lot of the other options do but at a very good price point.” The team also has evaluated Absolute Manage from Absolute Software, which Smith describes as a “well-rounded product.”
Some of Our Kids’ office-based workers bring their personal iPads into the workplace. The organization uses a SonicWALL system to quarantine non-corporate devices and restrict their access to the enterprise networks, Smith says.
The basic security features I discussed address the calendar, e-mail, task, and contact functionalities, along with some on-device security. But what about applications themselves that need to be developed to support the various flavors of tablets on the market today? Rover Apps
provides a secure foundation to deploy apps and access to the more traditional back-end corporate systems. The Rover App solution allows an enterprise to have employees leverage the tablet of their choice, while ensuring the sensitive information related to the specific app or enterprise system is secured.
As you can see, there is more than one way to provide security assurance for personal-liable tablets in the enterprise. Don’t forget that no matter what security solution set you choose, your IT department must create and communicate a device policy so that your employees know your organization’s security and privacy expectations. And don’t forget to keep up with the latest security and privacy news affecting your mobile environment. The next big headline could impact your organization.
Ben Halpert, CISSP, is the director of information technology risk management and compliance at McKesson Corporation and the editor of
Auditing Cloud Computing: A Security and Privacy Guide. Comments and questions can be sent to him at email@example.com; please include SECURITY in the subject line.