nCircle.com >> 360 Security >> Sync

« Does your vendor help or hinder your security methodologies? | Main | Supporting smartphones in your enterprise »

The iPhone, our new security nightmare

The dawn is near; the iPhone blitz lays prepared to turn your security team into zombies. On June 29th, your helpdesk systems will be inundated with whines to "make my new flashy iPhone work with my work PC". No amount of beer, ThinkGeek gadgets or favors will get me or my team to kowtow.

Thanks to Andy Greenberg at Forbes for allowing me to interject some commentary into his article "is the iPhone Insecure?" While I took a bashing from the MacDailyNews community, I stand by my statement - 'It's [the iPhone] going to be entering enterprise networks whether we like it or not, and it's a nightmare for security teams.'

Most pundits rest their entire counter viewpoint on the fact that the iPhone runs OSX (or some derivative there of) -- "its from Apple, its OSX, therefore its secure". First off, OSX isn't all puppy dogs and candy canes. Allow me to also dispense the myth of my favorite OS affiliation - no its not Windows. And my personal history of *nix operating systems began in 1990. Hopefully, though, we can diverge this topic and thwart the quagmire of OS wars. One should adopt the right OS for the right situation (period).

The topic of enterprise security is what I write about here. As the iPhone currently stands, it has no place in the enterprise network simply because it lacks enterprise security controls. No doubt most of our commentary on the iPhone is speculative. The most anyone can get out of Apple are the demonstrations of the iPhone's fantastic usability interfaces...and boy aren't they cool! Given the complete lack of Apple to address enterprise security (yet), enterprise security teams must prepare for the worst. The vendor plays an important role in security methodologies, something I've written on before. Faced with a lack of vendor information, we must hunker down and prepare our defenses. For all our sake, lets hope Apple pulls this one off (besides, I'd like an iPhone too). Though I suppose perhaps that Apple's market analysis probably has already told them this - despite the fact of my own concerns, people like me will still want to pony up the $$ regardless.

Since so much of this topic is purely speculation and Apple wouldn't even answer questions for Forbes, I've assembled a straw list of questions. The list below is by no means exhaustive. Apple, if you read this, would you please address these questions in a public forum - we'd all like to know what to expect and how to reel this new gadget into our security policies.


Questions for Apple regarding the iPhone:

  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications? (Ability to read, but not forward data)
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and requires authentication to unlock?
  • Are the encryption keys stored on the devices and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default and does the user has ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and backup data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events - calls made, data transferred, usage statistics?

Update: This just in from Network World


The analyst firm Gartner will tell IT executives to keep Apple's iPhone away from their networks, in a research report to be released within a week.

"We're telling IT executives to not support it because Apple has no intentions of supporting (iPhone use in) the enterprise," Gartner analyst Ken Dulaney says. "This is basically a cellular iPod with some other capabilities and it's important that it be recognized as such."

Full story available here


Update 6/22/07

EWeek has a nice writeup covering viewpoints including mine, Matasano (Dave Goldsmith) and Gartner. Check out the last page of the article where you'll find that EWeek got Microsoft to answer to my list of questions above.


Posted by Andrew Storms on June 19, 2007 2:01 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/226

Listed below are links to weblogs that reference The iPhone, our new security nightmare:

» Apple's new iPhone - Will it be secure? from Harry Waldron - My IT Forums Blog
Below are both positive and negative security speculations regarding Apple's new iPhone. Until, this [Read More]

Tracked on June 28, 2007 10:22 AM

Comments (6)

Nigel Mellish:

Yeah. Look. AT&T & Apple are purposefully NOT selling this device into business accounts. If you can't keep your users in line with policy, that's supposed to be the vendors problem to address? That's bullcrap.

Seriously, that is one long laundry list of nearly useless security "nice haves" that have such a limited risk reducing effect as controls that it's not even worth debating if those features should be considered.

Do us a favor, divorce yourself from the brand name and ask yourself how many phones, no, how many freakin' laptops you have there at nCircle that would pass your checklist.

Posted by Nigel Mellish | June 19, 2007 4:31 PM

Posted on June 19, 2007 16:31

James Delute:

Hi!

If you have ever worked with an OSX system you could directly answere a lot of your questions....

So please do some homework before you report your findings.

Kind regards,
James Delute

Posted by James Delute | June 20, 2007 2:32 AM

Posted on June 20, 2007 02:32

PorkBellyFutures:

Good post, Andrew.

Sad to see the fanboys sweeping in with defensive-sounding comments.

Nigel: Where did he blame the vendor for anything? He said Apple should publish those details specifically so that company's can understand why they should be writing iPhone bans into their security policies.

Most of the items on that list are security "must haves", not "nice haves", for government and corporate.

Difference between a regular cell phone and a smartphone: the latter is likely to end up with sensitive data on it if you use it with your work computer, or to do work related e-mail. Regular cell phones aren't. Security capabilities of other smartphones are already well understood and accounted for. Same goes for laptops.

Posted by PorkBellyFutures | June 20, 2007 10:59 AM

Posted on June 20, 2007 10:59

Ian:

Take the easy way out - block USB storage devices.

Posted by Ian | June 21, 2007 9:06 AM

Posted on June 21, 2007 09:06

NigelMellish:

@PorkBellyFutures

What I object to is that there's no reason to hold Apple to a higher standard than, oh, Motorola, Microsoft, Palm, Dell, HP, et. al., esp. when a reasonable risk analysis would show that there's very little reason for needing much of the information on that list.

Asking for "electromagnetic analysis countermeasures" is pure hubris, and the kind of nonsense that makes security unwelcome when it comes to real risk reduction needs.

As for "what's required for coprorate and government" - what part of "AT&T & Apple are purposefully NOT selling this device into business accounts." is confusing to you?

Posted by NigelMellish | June 22, 2007 7:43 AM

Posted on June 22, 2007 07:43

Andrew Storms:

While I doubt many people will see this comment, its better than posting a new entry on this topic. So two quick items.

1) My list which everyone seems to be outlandish - I invite you to go pull the security PDF from RIM. My list is actually just a subset of the RIM security list. I didn't make it up and for nCircle and so many corporations these items are REQUIRED.

2) To those who continue to say I didn't do my homework. Well I can see where you might get that impression. Since I do note that I speculate and I do ask a long list of questions, you might just assume I haven't done my homework or already attempted to find out the answers. The fact is, the reason I ask these question is I DID do my homework and these are the questions which I couldn't get answers to. As I noted in my post, if Apple won't respond to Forbes, then I bet they won't respond to me either. Hence I've posted them here for two reasons. 1 - maybe someone from Apple will see them or 2 - maybe an iPhone beta user will see them.

The point of this post is to highlight how a vendor is about to release a product, but has failed to provide enterprise security teams with the necessary information.

And to all those who, to paraphrase say, "its no worse than any other phone, USB device or iPod", to a good degree you are correct and I have always agreed.

Posted by Andrew Storms | June 22, 2007 8:41 AM

Posted on June 22, 2007 08:41

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on June 19, 2007 2:01 PM.

The previous post in this blog was Does your vendor help or hinder your security methodologies?.

The next post in this blog is Supporting smartphones in your enterprise.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.33