How to secure iPads for corporate use
When Apple's iOS 4.2 debuts next month, it will offer enough features to make the iPad tablet a device that's safe for business—if IT security teams take the right steps.
Top among these additions is the ability to encrypt stored e-mails and attachments on the devices, says Andrew Jaquith, an analyst with Forrester Research. "We expect Apple's new hardware-assisted cryptosystem to enable encrypted data to stay encrypted, even if the phone itself has been jailbroken or compromised in a side-channel attack," Jaquith says in his report "Apple's iPhone and iPad: Secure Enough For Business?"
Also, mobile device management adds APIs that support third-party applications that can lock or wipe clean iPads believed to be compromised, he says. These APIs also support remote inventorying of the devices and password management by third-party applications, he says.
Corporate security policy installation can also be supported through the APIs, but there is no Apple management platform suitable for corporate use, Jaquith says. However, vendors such as Mobile Iron, Odyssey and Tangoe all have privileged access to Apple's APIs that may give them a leg up on developing such tools.
In combination with other security already supportable on the devices, iPads should be safely deployable and manageable within enterprise networks, he says.
The updated operating system will also add support for SSL VPNs that can secure iPad remote access sessions. The devices already could support IPSec VPNs as well as WPA2 wireless protection.
Jaquith says that any business planning to support iPads should take these seven steps:
1) Encrypt e-mail sessions, which can be done via Microsoft's ActiveSync.
2) Wipe them clean if they are lost or stolen using supported crypto-shredding.
3) Lock them with a strong passcode.
4) Lock them automatically when they have been idle for set period.
5) Wipe them after a set number of failed logins.
6) Sign configuration profiles and protect them with passwords to avoid tampering.
7) Auto-refresh policies using ActiveSync in combination with Microsoft Exchange 2007.
For companies with more stringent requirements, Jaquith recommends:
* Use hardware encryption coming with iOS 4.2.
* Boost the required strength of passcodes.
* Use certificate-based authentication.
Even with all these measures in place, iPads won't be able to meet some security requirements, Jaquith says. For instance, some businesses are required to archive SMS messages, which can't be done on an iPad. The tablet also doesn't support smartcard readers that would tie the device to a user's card, he says.