Like a lot of Silicon Valley types, I ”just had to” run out and get one of those nifty new Apple iPads… and after using it for a couple of days I think it’s a really brilliant little device.
One thing that surprised me is that it has taken a while for press coverage of the iPad and enterprise security issues to start coming out. One of the first is this overview from Matt Hamblen over at Computerworld.
I hadn’t poked around much in the iPad’s “Settings” menu much yet, so I learned a thing or two about security features built into the iPad by reading this article.
For one, I didn’t realize that the iPad comes with VPN support, but hey, there it is under Settings > Network > VPN. Additionally, there are some decent security mechanisms such as Passcode Lock (including an option to erase the device after 10 failed password attempts) and Restrictions (to disallow certain types of content, app installation, in-app purchases, or access to other arbitrary apps) and these can all be found under Settings > General as well.
From an overall point of view, the iPad doesn’t seem to any more or less risky than many other consumer devices that can find their way into the enterprise and it actually has more enterprise-friendly security features than you might first expect.
I’d say that one of the biggest concerns, from both a personal and enterprise security point of view, relate to the e-mail features of the iPad device. It’s really easy to set up e-mail access and, of course, many users will set up access to some popular Web-based e-mail service.
So, the old “forwarding work e-mail to a Web-based e-mail account” issue raises its head once again. If your organisation is in any sort of regulated industry (e.g., healthcare/HITECH/HIPAA compliant, financial services/GLBA compliant, retail/PCI-DSS compliant) and you haven’t deployed technology to scan outbound e-mail for compliance violations (and/or enable e-mail encryption for regulated data), this is a problem.
Also, once the iPad is unlocked, the e-mail app is right there and any messages that have been downloaded to the device are easily read. Users who expect to take their iPads out into the world a lot should definitely configure the Passcode Lock feature and enable the “erase on 10 failed attempts” option. And keep in mind that, unlike devices like Blackberry, there’s currently no way to do a remote wipe of data stored on a lost iPad.
As I’ve noted in previous posts, lost or stolen mobile devices are shaping up as one of the most common reasons for breaches of HIPAA security and 22% of large US enterprises investigated a leak of confidential or private data involving the theft or loss of a mobile device in the past 12 months.
The Computerworld article I noted above touches on a lot of other issues including tough data protection laws (such as those in the state of Massachusetts) that require encryption of stored personal data, susceptibility to other types of hacks and jailbreaks, etc.
I guess the last thing I’d say about the iPad and e-mail/Web security is that it really weirds me out to surf the Web or read e-mail without some sort of third-party anti-virus software installed… But I see that The Register is reporting that at least one vendor, Intego, is already promoting Mac software that can at least scan the iPad for malware.