Apple gets serious about iPad security -- is it enough?
Soon, SAP hopes to sew up a gaping security hole for its 7,000 iPad-toting employees. The Germany-based tech giant is beta testing a product that will allow it to send PGP-encrypted confidential email to employees. In turn, employees will be able to decrypt them using a Symantec viewer iPad app.
Just one problem: Employees won’t be able to send encrypted email from their iPads, at least not yet. Blame Apple for an iPad email encryption capability that literally goes only half way—that is, to iPads but not from them.
“Symantec told us the problem is with Apple; they can’t get the right interfaces into iOS,” explains Wolfgang Krips, senior vice president of global IT infrastructure services at SAP. “It’s not a deal killer but very serious, very frustrating.”
So goes the love-hate relationship CIOs have with Apple. Now the stakes are higher with iPads invading the enterprise at a meteoric rate. To be fair, Apple has responded recently to security concerns about its iOS. But does the company’s newfound interest in enterprise security go far enough?
Not so long ago, Apple would take its sweet time addressing enterprise security concerns to the chagrin of CIOs. Apple’s thinking: Malicious attackers target Microsoft Windows machines that contain valuable—and profitable—data, not so much Apple consumer devices. So let Microsoft put out Patch Tuesdays (the second Tuesday of the month when Microsoft releases security patches).
But the tables have turned with iPads pouring into the enterprise. After only 18 months on the market, iPads are now being deployed or tested at 86 percent of Fortune 500 companies, Apple said during its most recent quarterly earnings call. Industries that traffic in highly confidential information, such as hospitals and law firms, have emerged as early adopters.
Making matters worse, iPads are becoming a kind of proxy for laptops, sending and receiving some of the most sensitive data on the network. “The security problem for iPads becomes even more burning,” Krips says. “You’re coming to the same situation you have with Windows on the laptops or desktops. It’s becoming increasingly attractive to hack those devices.”
And malware attackers are plying their nefarious trade with more frequency. The rate of malware attacks more than doubled in the second quarter this year to 287,298 unique instances in June, according to Cisco’s quarterly threat report released this week. A company faces an average 335 encounters every month.
So will Apple step up its security practices?
Recent signs show Apple is getting the enterprise security message. For instance, Apple quickly released iOS 4.3.4 in July that patched a PDF vulnerability. Just a week and a half later, Apple released iOS 4.3.5 that fixes a certificate validation vulnerability.
“I was also very pleased to see that Apple released a kind of virus scanner for the devices,” says Ralph Salomon, vice president of IT security and risk office at SAP. “We will be evaluating it to make sure we can bring it to the devices as soon as possible. Apple is working really hard to identify issues and close them as soon as possible. They are on the right track.”
Yet Apple still has a ways to go, as evident by the iPad’s inability to send encrypted emails.
Vendors have been trying to solve the problem of iOS email encryption in various ways. Some developed entirely new email apps, foregoing Apple’s native Mail app. Others chose an online-only Web portal approach. With Symantec’s PGP Viewer for iOS, an iPad user receives an email with an attachment over the native Mail app.
By tapping on the attachment and selecting the Symantec viewer, the user can decrypt and view the message. The data is kept inside the viewer app, which acts as a kind of sandbox. The viewer doesn’t allow the user to forward, reply or even copy and paste the content of the message.
On the reply side, employees will have to send completely separate emails that merely reference the encrypted email but don’t contain its details. For instance, back and forth cryptic emails might read, “I agree with step one but not step three ” or “please give me feedback on the third slide.”
There are workarounds to the Symantec PGP Viewer for iOS that can cause CIOs to lose their hair. A user can choose third-party apps to view decrypted documents in the viewer, for example, GoodReader for PDFs and Quickoffice for Microsoft Office documents. “With a helper app, the data moves out of the container,” says Tim Matthews, director of product marketing at Symantec.
Corporate security policies are the only line of defense against this practice. Then again, employees have been using workarounds for sensitive emails since the early days of the iPad. Many would simply decrypt documents on their laptops and email them, unencrypted, to themselves on their iPads.
“Several state laws also require email encryption, so they were putting their companies at risk” by breaking the law, adds Brian Tokuyoshi, senior product marketing manager at Symantec’s encryption group.
A recent Sybase-SAP survey of 500 workers found that a third of employees have put company data at risk by sending work-related emails or documents to their personal accounts and accessing the company intranet from remote locations. One in four has conducted work-related email exchanges on a personal mobile device.
Whether or not the Symantec Viewer will discourage people from breaking corporate policy is anyone’s guess. One thing, though, is for certain: The inability to send encrypted emails from the iPad won’t help matters.
“In doing business, there’s always a balance in the risk you’re introducing and the advantage you’re getting” from the Apple iPad, Krips says. “That’s what makes this so difficult.”
Quips Salomon, “especially from a security perspective.”
[Tom Kaneshige covers Apple and Networking for CIO.com.]