Over the next couple of months, it’s all going to go nuts yet again with Apple frenzy, hype and excitement over the new iPhone 4S and the release of iOS version 5…. but after all the dust has settled – what will the real impact be from an enterprise & security perspective?
OK… so maybe that’s why I love my job when it comes to situations like these, as I get to play with the new toys and enlighten people about all the cool changes, the business opportunities, and what we can do from a technical perspective to minimise any associated risks. Before we get to the heart of it – if you didn’t already know based on my previous posts – it’s probably worth being up front and mentioning that I am indeed an Apple fan, however never-the-less that doesn’t mean I’m blinkered or oblivious to some of the security problems we will come across from an enterprise perspective when these new devices and changes hit us.
So…. let’s get started…
Huge Uptake of new devices & iOS5 for existing users
Firstly, I think yet again there will be an increased uptake in the new Apple iPhone device, and even more people moving away from Blackberrys (poor RIM) to the new iPhone 4S. Apple Insider recently released some interesting study results indicating 45% of Blackberry users and 24% of Android device owners said they would purchase the upcoming new Apple handset.
Whilst I don’t think there’s going to be a huge quantum shift in terms of the phone or the technology (yes the new CPU will be great, but something I’m already used to on my iPad 2 running the Apple iOS5 beta), the combination of a new device plus all the cool features of iOS5 will draw more people to buy it.
Most people I know are already finding excuses for why they will upgrade their iPhone 4… and it will be the same no doubt in the enterprise. The C level execs will push to get a brand new phone as soon as they’re available – as we’ve seen a change in the way in which shiny new gadgets find their way from the top down into the enterprise… as the big boys often compete with their peers in the boardroom.
Then we also need to consider how many existing iPhone 4 and iPad 2 devices are already out there in the enterprise – just waiting for all those funky new iOS5 features.
Well, before the majority of your company have these new devices in their hands or already have existing iPhone 4 or iPad 1 or 2′s, there’s a few things to consider from an enterprise security perspective:
iOS 5 – iCloud and Security in the Enterprise.
iOS 5 introduces many new features, but the most newsworthy is iCloud. I’m not going to cover what it is in detail, or how it works, however I want us to focus on what issues we will see in the enterprise relating to it. It’s not that iCloud is insecure – and I’m sure no doubt there will be hackers out there trying their hardest to break into it. It’s more about the staff member who has this new technology, and what they choose to do with it which is more worrying.
Up until now, enterprises have struggled to control / contain the risks relating to file sharing / syching capabilities already available through services such as Google Docs, SugarSync, Dropbox, Box.net etc. What Apple are about to do though is make this type of cloud based file storage & synchronisation functionality available natively in the iOS, Apple applications, and 3rd party apps using iCloud… the problem is about to become much bigger, and no doubt just like when the cloud hype hit our shores, governing parties such as APRA will start to take notice, and will start to ask interesting questions, and pushing more expectations onto companies that they govern.
So worst case is that documents created on a device used in the enterprise will be sucked into the cloud, and then replicated automatically onto a number of other devices outside of the enterprise. Many large companies have managed to keep some sort of control by restricting the use of Dropbox etc through web proxies, however the main thing from a security perspective is not necessarily a concern of the strength of security controls, but more so about what the user will do with it.
Most staff who don’t care about security (after all that’s someone else’s job to worry about company risk) so will happily and naively store sensitive documents all over the place… it’s just that the Apple iCloud will make this so much easier to do, and a much much BIGGER problem.
Your Apple ID & Password – Keys to the Apple iCloud Kingdom… your docs, your photos, your music…
One important concept to understand is that with iCloud your Apple ID and password will become much more important …. it will be your ID and keys to your photostreams, synchronised documents, music etc etc – access to everything will be just an Apple ID and password click away!! Now no one shares their Apple ID’s… do they!!!?!?!? ;-0
Bandwidth & Data Usage Impacts
There are other impacts such as data / bandwidth utilisation – as music streaming, iCloud synching and OTA udpates will surely have an impact. But just how much we will soon find out.
Solving Your Enterprise Security iCloud Concerns
So what to do about it?… Mobile Device Management platforms will obviously help (if you have one!), Microsoft Exchange ActiveSync policies will potentially improve things too, however that depends if you’re willing to lock down on the use of iCloud. Stop users from using the cloud?! Sounds like a hard thing to do.
Hopefully Apple will offer some more granular control for this technology – but maybe by the time most enterprises start to worry about this the horse has already bolted.
User Awareness & Risk Acceptance
The other things you can do is to ensure that end users are made aware of the risks, and that they take accountability and responsibility. Force anyone using your enterprise service to sign an “Acceptable Use” agreement, whereby there are informed of the risks, data considerations, and what responsibilities they take on when using an Apple iOS5 device within the enterprise.
Lastly – make sure your company has done the right thing from a risk management perspective – especially if you are governed from a compliance point of view. Ensure that a full risk review and assessment has been completed, whereby senior execs and CIO level are formally made aware of this risks & concerns, and sign off any risks at an appropriate level with full evidence and traceability back to those that made the decision.
Follow “PhilHall” on twitter, and be sure that you’ll be kept up-to-date from a security perspective.