iPad Enterprise Security

“Thinner. Lighter. Faster. Facetime. ” That is the catchphrase from the Apple page dedicated to the iPad. While Apple is known for its pithy titles for their amazing products, there is one thing that is oft ignored, but always important, and that is security. More and more people are adopting the iPad and some are using it to access business data but how can they do that securely? This article outlines the risk of using the iPad in the enterprise and some dos and don’ts for iPad security.

Consider this office scenario surrounding the iPad. The iPad 2 is just released and an executive is interested in one. Soon, with the help of a few tech-savvy people in the office, he is connecting to the corporate network and accessing company data and systems. The thought of security never entered his mind. What can be done to protect this company from data loss?

While an iPad may provide a bump in productivity it also provides another portal for hackers and thieves. The problems range from a lack of uniformity in software to protect from hacking to general nonchalant behavior among employees about the protection of their iPads.

One of the major pitfalls of the iPad is the relative dearth of protective apps in Apple’s otherwise immense app store. Also, those apps that are available for protecting an iPad are not uniform. Apple does scrutinize apps that appear in the app store, but their net is not without holes, and an app that has malicious intent may slip through the cracks.

Even if there was uniformity within applications concerning security, there is not uniformity between users. Much of this has to do with the perception of the device. If users were to treat their iPads less like a magazine or a newspaper and more like a company computer, the need for more than the out-of-the-box security would be clear. Here are some simple dos and don’ts that users and administrators should be aware of that can increase the security of the iPad.

Dos

  1. Locking the device. The iPad can be configured to lock the screen at a predefined interval similar to the screensaver setting on a computer. When the device is locked a password is needed to unlock the device. The iPad can also be configured to delete all data if an incorrect password is entered too many times.
  2. Encryption. iPad data can be encrypted however the encryption used on the iPad is currently vulnerable to some attacks. Still, an encrypted iPad is better than an unencrypted one and we await patches from Apple to resolve the vulnerabilities.
  3. Virtual Private Network. Use a VPN when connecting to a corporate network. The iPad ships with Cisco VPN software so that a secure tunnel can be created for connecting to another network. The VPN works with common IPSec, PPTP, and L2TP VPNs.
  4. Utilize Mobile Device Management (MDM) solutions to control security settings on enterprise mobile devices such as phones and tablets.

Don’ts

  1. Jailbreaking. Some users desire features that are not included in the official iPad operating system so they go through a process called “jailbreaking” where a new operating system is loaded onto the device or the operating system is modified so that these features become available. In the process of jailbreaking the device, however, many new security holes can be created and it is difficult to update the device when newer versions or patches are released. Newer versions and patches often correct recently discovered vulnerabilities so those that have been jailbroken will be susceptible to these vulnerabilities.
  2. Sharing. The iPad is a single user device. It does not have the capability of letting multiple users log onto it so if the device is shared with someone else all the data will be available to them. If possible, do not share an iPad that is used for work purposes with others.

As the popularity of the iPad continues to increase more and more companies will be faced with the struggle to secure the data users access via iPads. Executives and employees need to think outside of just the productivity and the coolness appeal of the iPad and look at the security concerns of the device. The tips here can help. Consider educating your employees on iPad security best practices.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

13 Comments

  1. I use Apple products at home and they are being used more and more in workplaces. But, for me, for Apple to continue to be a contender, I think the following needs to happen:

    1) Technology is catching up, so compete on price (lower the “Apple tax”)
    2) stop expecting people to believe that it is a privilege to own an Apple anything – the coolness factor is already starting to die off
    3) making non-user-serviceable equipment. If I can’t do my own upgrades or replace a hard drive when it fails (or when I want a larger one) then I just won’t buy that piece of equipment.
    4) Always remember, people ALWAYS have a choice. Just like I chose to go to Apple years ago, I can still choose to migrate to LINUX. Don’t give people reasons to not choose Apple.

  2. Actually the problems stem from the ability to strictly control the device itself – meaning you can’t lock the user out of certain settings. The iPhone/iPad configuration utility only provides so much ability to lock the device down.

    For example – you can disable youtube, safari, mail, etc., but can’t disable the ability for the user to get into the settings. You can turn the wifi/bluetooth OFF, but not DISABLE it. With the settings accessable to the user, they can go right back in and turn it on. While you might think “no big deal, safari is disabled” – keep in mind there are other apps that have the ability to access the internet, and will do so if you ask the app to. And sometimes you don’t even have to ask.

    1. Ralph,

      If you apply the security from the configuration utility using an admin account the user does not know and then create an account for them to use on the device, they will not be able to alter the settings.

  3. Thanks. I agree with Rosie that you have a great site here. I really like reading your security spotlight blog. I am not sure if you like the term information security or cyber security but either way, great blog!

  4. The iPad has become more and more popular since you wrote this article. Is there anything else companies can do to secure these devices?

    1. Matt,
      Set a password on the device and make sure it will erase all data if the password is entered incorrectly a set number of times. Encrypt the storage on it and create an administrative account that you use to lock it down and then operate with a standard account. Turn off location services and do not jailbreak your phone.

Leave a Reply