Should You Ban the iPhone?
When David OBerry, IT director for the South Carolina Department of Probation, Parole and Pardon Services, was quoted in a Wall Street Journal story titled Why IT Hates the iPhone, he was inundated with complaints from Apple fans.
After that quote, I had to defend myself in multiple blogs. I didnt say anything about hating the iPhone, OBerry said. Personally, I think the iPhone is a great device. My point was that users need to be cognizant of the dangers posed by certain devices in certain situations.
OBerry noted that while Apple has addressed many of the security flaws of the iPhone, a glaring problem remains: lack of encryption on the device. Until you encrypt that device, it is a walking time bomb from ITs point of view, he said.
Unless data is encrypted at the device level, users can copy sensitive information from work, take it home with them, lose the device or have it stolen and expose confidential organizational information to whomever has the device in hand. In other words, without encryption, the iPhone, or any other device like it, cant be considered enterprise-class.
Smart Phones Invading
Make no mistake about it, though, iPhones and other smart phones are invading the office, and IT is ill prepared. According to Infonetics Research, single mode WiFi phone sales jumped 60% in 2007, and WiFi enabled smart phones (like the iPhone) should experience an even higher growth rate this year. Meanwhile, the SANS Institute listed mobile threats against iPhones and Android phones as the fourth most serious security threat for 2008.
With those numbers in mind, CIOs should be thinking about smart phone and VoWLAN strategies. As with many previous technologies, such as email and WiFi, smart phones will invade the enterprise through the back door. Users who value them will use them and if that means sneaking behind the back of IT, so be it.
The easiest way for an organization to control any device is to own it. Buy it for the employee, or at the very least subsidize a portion of the monthly bill, and you can exercise control. Pretend it doesnt exist, and theres no way you can demand that phones be encrypted or have, say, two-factor authentication in place.
The trouble with paying only a portion of the bill is that you have to recoup costs for personal calls and the like, OBerry said. It can become a real accounting headache. His department has already purchased smart phones and tablet PCs for its staff, and they control the devices at the networks edge. The second easiest solution, of course, is to simply ban iPhones and other smart phones from the corporate network. But does that really solve the problem, though? Does it even work?
Users can switch to mass storage mode and plug the devices into PCs via USB. Then, when they switch them back into phone mode, dual-mode smart phones will allow them to easily jump to a cellular link (or a neighboring, unsecured WiFi link), and you wont even be aware of, let alone in control of, a serious security risk.
A better approach is to put controls and policies in place. Many NAC solutions can do compliance checks on any device connecting to the network. If a device doesnt encrypt data, it wont be allowed to download anything or even connect to anything beyond a remediation page. NAC and many other security suites are also offering USB controls, which allow IT to shut down USB ports altogether or set security policies for their use.
Meanwhile, data loss prevention (DLP) solutions classify sensitive types of data and wrap policies around it. In other words, you wont be copying, downloading or emailing confidential IP if DLP is in place, and if you do download anything, an audit trail is logged.
Any easy way to accommodate iPhones and smart phones is to extend guest networks, said Chris Roeckl, VP of marketing for AirMagnet, a provider of WLAN assurance tools. If iPhones are herded onto guest networks only, users wont be able to access to confidential data, but theyll still have Internet access. Theres still the problem of users forwarding information to themselves over email, but thats an email security issue, not a smart phone one. However, if you go the route of restricting iPhones to guest networks, youll have to have wireless detection and monitoring tools in place that locate those devices and enforce policies on them.
A bigger problem, though, is the same one that plagues all new technologies. New technologies boost productivity. Throttling back on that productivity may in the end be more costly than figuring out how to address risks in ways that dont impede users.
Everyone talks about controlling these devices, OBerry said. I dont care about device control. What I care about is device resiliency and insulating my agency against risk. In doing that, though, I dont want to impede non-traditional productivity. Devices like the iPhone increase operating efficiencies.
Invariably, solutions will come as the devices mature, if not from the smart phone vendors themselves, then from third-party security vendors. And if Apple continues to buck third-party software development, some other smart phone vendor will likely play to the enterprise and eclipse the iPhone in that market. After all, you dont hear a similar chorus of warnings against the BlackBerry. The difference is that BlackBerry started as an enterprise product and has spread to the consumer market. The iPhone has taken the opposite path.
As of today, though, smart phones represent a threat matrix for corporate networks. IT has little visibility into the devices, and device-side security is limited at best. Until the phones are more secure, IT must do something to mitigate risks.
We need to get beyond the mentality of IT versus users, OBerry added. Instead, we should collaborate with users on how best to strike a balance. Whether that balance means education and training or network edge controls or putting pressure on vendors for more secure products remains to be seen.
Whats clear, though, is that IT will have to figure out how to handle these devices soon. Theyre coming whether you like it or not, and the first step towards recovery is admitting you have a problem.