If you haven't heard, there is a new smartphone entering the market tomorrow, June 29th. Apple has publicly stated a goal of selling 10 million iPhones in 2008. In the larger world of the smartphone market, 10 million total iPhones is not a huge market share. According to market analysis data shared by Symbian, Gartner says that in 2006, 72.9 million smartphones were shipped. This is a 50% increase over 2005. What you should be concerned about is the expected rapid penetration of all smartphones. Canalys predicts global shipments of smartphones to reach 1 billion by 2012. That's 1 billion handheld devices with gigs of storage, a USB connector, a Bluetooth interface and connectivity to the cellular as well as wifi networks. Moore's law aside, nobody could have predicted that those 1980s era big black box cell phones would morph into a pocket sized computing platform rivaling most computers just 10 years ago.

If someone in your organization hasn't already asked your IT team to support one of these devices, then chances are they already exist and you've chosen to ignore it. Here is your two by four smack to the behind. If Apple's market penetration of the iPod is any predictor of the iPhone, then you can easily anticipate the thundering heard. You can either choose to embrace the change, fight it or ignore it. As a security professional, I suggest a skeptical embracement of the iPhone. And to the overall goal of supporting smartphones in your enterprise, I suggest four top line items for you to consider.

1 Embrace the Need
No matter how much you may want to think that a no tolerance policy keeps these devices away from your networks and company intellectual property, you must learn to accept the truth. There are smartphones, ipods and USB drives in your offices. There are employee, vendor and customer information residing on unapproved storage medium. Don't ignore the requests for IT to support handheld devices, but choose to be proactive. Investigate the options available; speak with your users and vendors to find a palatable solution.

2 Centralized, Supportable, Risk Mitigation
While you are investigating your options, think: centralized, supportable and risk mitigation. Like any good enterprise deployment, you want the biggest win with the least amount of overhead. Consider a solution, which can be centrally managed, and works within existing supported infrastructure. Make sure that you can support the system with an SLA that you, your users and managers can accept. Furthermore, adding service for smartphones may increase the risk posture for your company or other business units, customers and vendors. Its important to consider the possible risk side effects. Those who are process oriented may want to include the services in an information risk analysis and the company business impact analysis

3 Entry and Exit
Networks are no longer the classic cloud protected with a pinprick of an opening and a T1 to the Internet. Not only may we have hundreds of approved ingress and egress points, but also there is the other unknown, possibly dynamic, number of holes. The advent of software VPNs, wireless LANs and now handheld multinetwork interface aware devices are turning networks into moldy Swiss cheese. One item to address -- your wifi networks. If you haven't locked down your wireless networks, do so now. Make sure those wireless networks are first, outside your corporate LAN and second, require encryption, authentication and authorization to make use of it.

4 A Policy is Like Poker
Make a policy, stick to your guns, but know when to fold your cards. Not unlike the familiar Windows Active Directory group policies, an enterprise caliber smartphone solution allows security teams to create and push policies, which affect the functionality and security of the devices. You'll want to invest in a solution allowing you to centrally manage these policies, while also allowing reporting, logging and control of smartphone activity. In developing that policy, consider methods to protect confidential data in transit and at rest. Just a few include data encryption, password protection, remote data wiping and over-the-air data backup. Policies do solve a need, but be aware one must always consider the balance between security and productivity. If your smartphone policy automatically locks the device after 1 minute of idle usage, users will quickly become angered with having to type the unlock password countless times throughout the day.

Even if this isn't your wake up call, it may be time to readdress your security posture when it comes to smartphones. Hopefully, these 4 items will guide you and your enterprise to a more comfortable place.

MacWorld recently published an article stating that analysts have exaggerated security concerns of the iPhone. Some of the statements in the article regarding the security of the iPhone and the overall security of mobile computing deserve further commentary. While I for one have taken it "on the chin" for not jumping on the I-Heart-The-iPhone bandwagon, the purpose of this follow up is to set a stage for an open discussion on overall smartphone risks to the enterprise.

(Those statements printed by MacWorld and in the voice of Andrew Jaquith are quoted below).

Policy Always Includes Security

"There are reasons not to support the iPhone - you don't want to support IMAP or the flavor of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."

Policy, whether it be directly related to security or not, must always include risk and thus security. It may be policy that your supported IT applications don't include specific types of VPN or email connectivity by IMAP, but to completely take security off the table when talking policy is shortsighted.

Sensitive Data is on the Device

One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.

When it comes to information security, its far better to assume that the iPhone will enter the enterprise network and users of all types will store sensitive data on the device. When looking at the iPhone from a non-business perspective, users are sure to store private data on the device for the purposes of reducing their own life's complexity. Items such as an ATM PIN, passwords, social security numbers, voicemail password and more are all commonly found on cell phones. Let us not forget the Paris Hilton incident years ago when the data on her Sidekick was stolen. Turning the perspective to using the iPhone as a business enabler, certainly the email and contacts of any business are confidential and may be considered competitive information. Its certainly better to assume data encryption be required, than to learn the hard way later.

Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.

How does the lack of having listening ports on a device equate to the lack of remote administration tools being less of an issue? Gartner is correct here; the lack of any centralized and remote policy enforcement of the iPhone makes it considerably less of a valid option for enterprise smartphone usage. Furthermore, when examining the currently released landscape of iPhone vulnerabilities, all exist in the MobileSafari web browser. A client-side exploitation does not require the device to have open ports nor will a firewall provide any mitigating factors.

Security Thru Obscurity

The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimizing any risk.

Moving standard services to non-standard ports is not an accurate risk reduction methodology. Discovering IMAP bound to an odd port is an extremely easy job for free tools readily available. Scanning all 65,000+ ports takes less than a day and once you have the data, it's just as easy to redirect all your remote attack tools to a different port.

Custom Apps and File System Access

In addition, all custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.

Due to a great desire for an iPhone SDK, Apple instead chose to deliver a fully functional browser called Mobile Safari. According to Apple, this permits developers to write full Web 2.0 AJAX applications. The downside is that third party security vendors also can't deliver the applications that the enterprise desires, namely integrated applications including AV, AntiSpyware, data encryption and firewall. Furthermore, access to the file system on an iPhone is now relatively easy. If you have physical access to the device, one can run a free tool called Jailbreak. We also recently discovered, from the research by Charlie Miller and his team at ISE, that all applications run as root. This means once an application becomes exploited, the injected code snippet has access to all applications and data on the iPhone.

Summary

"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."

The iPhone and all smartphones on the market today are incredibly powerful devices. These pocket computers rival computing power of the most powerful devices just 10 years ago. Security worries about any smartphone device should not be taken lightly. While the iPhone may just be the latest device to hit the market, how the enterprise decides to take full advantage of mobile computing is much more an important topic.

To learn more about my top list on managing smartphones, read my prior post on "Supporting smartphones in the Enterprise".

Undoubtedly you've heard about the iPhone SDK. While Apple DDoS's their own developer site with thousands of people trying to download the SDK, enterprise security managers are bracing for round 2 of iPhone security vs the yearning corporate executive.

Putting myself in its proper place

Lets face it; the shiny objects at todays town hall meeting wasn't the Exchange integration or the remote wipe feature. It was all about applications and their sheen. Salesforce.com, Electronic Arts, Sega and AOL all orchestrated today's focus away from enterprise security and into Apple's foray of cool. Lets also face it; enterprise security is only fashionable for a very small target audience. I'm in the minority.

Obviously, though, the minority does have a voice with Apple. The engadget live blogging of today's events show Phil Schiller taking the stage at 10:04AM. By 10:19AM he was done demonstrating all the enterprise integration and security. The enterprise voice lasted 15 minutes; the SDK and iPhone apps from 3rd party developers went on until 11:03AM.

Does Apple really get it?

Does Apple really understand what it takes to sell something to an enterprise? An enterprise has tens of thousands of IPs, hundreds of network ingress and egress points, thousands of ways for intellectual and private property to be absconded. Let us not forget the deluge of regulations, oversight committees and conformance to hundreds of international governance restrictions. For most enterprises, they are not running in a resource positive mode with overflowing headcount sitting idle, eager to consume another mobile device. In order for the iPhone to make headway in the enterprise it will have to up heave an existing technology. The most likely candidate for the smartphone junk drawer will be Windows mobile device, not the blackberry.

The RIM is here to stay

Phil Schiller's slide showing the 'old' Exchange integration vs the new method clearly was meant to show ActiveSync's dominance over GoodLink and Blackberry. Both of those 'inferior' technologies require an intermediary server, whereas ActiveSync is a direct push technology. However, the Blackberry enterprise managers look at it quite differently. They see the Blackberry Enterprise Server not as a stumbling block, but as a full-fledged necessary component of the overall mobile device risk management solution.

Apple trusts Microsoft?

How many Mac vs PC advertisements have you seen? Isn't the PC bloated, a Petri dish of viruses and represents everything uncouth? But here is the catch, while we wallow in wait for Apple to release the nitty gritty of how the iPhone enterprise security controls function, Phil Schiller shows a slide that's right out of the Microsoft ActiveSync security deck. Could the iPhone's enterprise security offering be nothing more than adaptation of the Windows Mobile security options? If that is the case, Apple in some strange twist of events, will be relying on Microsoft for security conformance.

Whatever might happen, myself like hundreds of other security managers reached out to our user base today. We all sent the predictable email out to the entire company reminding them that despite today's town hall meeting, the iPhone still is not yet an approved device (not yet).

Ben Whorten of the Wall Street Journal suggests, in his BizTech blog posting, that the iPhone adoption will be based on business culture. Ben may be partially correct. But, when it comes to enterprise infrastructure, "chic" doesn't get the PO signed.

The dynamic struggle between productivity and security is sure to come into play in the decision to support the iPhone on the corporate network. Ben appears to believe that the IT crowd bans technologies on the grounds that it enables the "goof off" factor, while employees interested in using the iPhone believes that the iPhone will make them more productive. There is an element of truth in both of these viewpoints, but Ben overlooks a much larger issue central to the decision to support anything on the corporate network: compliance.

Ever since the Sarbanes-Oxley act of 2002 changed the regulatory climate of business, the CIO's purchasing decisions have been heavily influenced by the vendor's security practices. Public companies generally must comply with a minimum of three different regulations, and many of the associated compliance requirements apply to the company and all of its supply chain.

Additionally, the consequences for failing an audit are not to be underestimated. Aside from the serious costs involved and the long term consequences of having to endure more frequent and exacting audits, there is jail time to consider. It's enough to give any CIO pause. In Ben's defense, he does make a practical point -- businesses already invested in RIM's Blackberry phone are the least likely to make the switch. This is just economics, plain and simple. Without a solid ROI plan, no sane business manager would be willing to overhaul existing infrastructure to make the switch to iPhone when the current system already solves the problems, especially in a tight economy. But, Ben also says that the switch will "hinge on culture." While culture is a critical component to the success factor of a company -- just ask Google -- the majority of CIOs can't afford to nuke their existing infrastructure simply because the next cool widget to hit the market supports business email.

Ben's points about the cultural beliefs that skew corporate buyers away from the iPhone missed the most surprising element of Apple's strategy to capture market share in the enterprise: it is relying on Microsoft for security. No one else seems to see the irony in this that I do. For years, Apple's marketing has hammered on Microsoft's products as bloated and full of security holes. However, Apple obviously realized that in order to enter the enterprise market they had to do something drastic. Evidently, the need to pump up iPhone sales was enough to get Apple behind Microsoft's Exchange ActiveSync. And remember, ActiveSync is more than just a method to deliver email to a handheld device; it is also Microsoft's conduit for delivering security configurations.

Apple builds their revolutionary device to be compliant to Microsoft's handheld information security platform? And they say politics makes strange bedfellows!