Security and Risk Management Strategies Blog

Tyson the Skateboarding Bulldog

Blogger: Diana Kelley

Burton Group senior analyst, Richard Monson-Haefel, is hosting a panel discussion on iPhone and the enterprise on August 28 and 29. Burton customers can register for the telebriefing here: iPhones in the Enterprise Telebriefing. Richard's invited iPhone interested analysts to join him. I'll be representing "team security.”

My colleague, Eric Maiwald, posted about risk management related to use of mobile devices in the previous post below. Over in the identity blog, Bob Blakley makes the case for why the iPhone is Ready for Prime Time.

And I've been thinking about the risk management questions related specifically to the iPhone. iPhones may well have a place, but I doubt they'll ever be the mobile device of choice for enterprises. Apple's not marketing the device to corporations. The coolest features of the iPhone, a fairly large screen for watching the latest episode of 'The Office' (nod here to SNL's Fred Armisen and his excellent Steve Jobs iPhone parody) or Tyson the skateboarding bulldog on YouTube. iPhones also feature lots of space for storing songs purchased from iTunes aren't the kind of things that makes CEO's decide to kit out every employee with one.

Some organizations allow employees to purchase and use whatever mobile phone they wish, and more employees are purchasing smartphones with browsers, email, and internet access. The iPhone supports IMAP and POP3 access to mail servers. And the Safari browser on the iPhone connects to web accessible corporate email like Microsoft's Outlook Web Access and IBM's Lotus Web Mail.

In cases where enterprises do sanction a specific mobile device, quite frequently RIM's BlackBerry or a Windows Mobile smartphone are the choice. BlackBerries, unlike iPhones, were built for enterprise use and place security at a premium. They're approved for use by NATO and a number of governments (such as Canada, UK, Australia). And the BlackBerry cryptographic kernel has received FIPS-140-2 certification in the US. There are many third party encryption packages (from vendors such as Credant and Utimaco) that allow users to encrypt data on Windows Mobile devices, which provides a layer of security if the smartphone goes missing. iPhones don’t have encrypted data storage.

Then there's the greenbacks. AT&T (the required provider for iPhone) is selling BlackBerries for $39.99 to $299.99 and Windows Mobile smartphones for $99. The iPhone costs $499 to $599. What enterprise is going to spend $400 more for a less secure phone just so employees can watch the latest episode of "The Office?" Enterprise use of iPhones is going to be done by employees that wanted the cool factor of the iPhone enough to spend a non-trivial amount of their own money on it.

Therefore, the question for corporate risk managers is "should iPhones be banned from the enterprise?" Well, is the iPhone more or less secure than other smartphones? Probably not, though there is the issue of inability to encrypt stored data. Smartphone mobile malware is on the rise and if iPhones gain enough market share, they too will be attack targets. Access to corporate mail from employee owned devices is risky, but many organizations allow it due to the perceived productivity benefits. Why should the rules be different for iPhone users?

Patches and updates are critical for device security. iPhones support remote updating so do BlackBerries and Windows Mobile devices, but other smartphones no so much. So there's one factor in the iPhone's enterprise use favor. BlackBerries and Windows Mobile devices support centralized management and remote lock and wipe - the iPhone does not. There are browser vulnerabilities to consider, but there's no data supporting that Safari is inherently less secure than IE on Windows Mobile.

Should iPhones be banned from the enterprise? That's a question each enterprise will have to answer. But if employee owned smartphones are allowed and centralized management and encryption of stored data is not required, than there's no compelling reason to ban access for iPhone users. So let the iPhones in and then folks can gather around the water cooler on Friday mornings to watch the previous night's episode of "The Office" or Tyson on his skateboard.

What do you think? Want to join the discussion on iPhones in the enterprise? Please post a comment or register for the iPhone telebriefing.

Blogger: Eric Maiwald

There were lines around the block. People waited to catch a glimpse of one and hopefully buy one. There were news stories about it. What could have caused this much anticipation? Was it a concert for some famous rock star? Was it a championship game? Was it a chance to catch Barry Bonds’ 756 home run ball?

Nope. It was the iPhone. Of course, the iPhone is not just any new cellular phone. With its slick graphics and user interface, it is leaps and bounds ahead of anything mortal man has seen before!

Well…maybe not.

One thing is certain, the iPhone has caused some concern for large enterprises. Since many employees are purchasing iPhones and hooking them up to their computers at work, there is a fear that large amounts of sensitive information may be transferred to the devices. Of course, this is nothing new (not really anyway). Many employees have PDAs, SmartPhones, or even USB memory sticks and use them to store sensitive information. Maybe it is just the fact that the hype around the iPhone has made it more visible than the other devices and that has gotten the attention of the enterprise.

Handheld devices like phones, PDAs, and memory sticks are so common as to be invisible while in plain sight. We all know that portable computers can hold sensitive information. The news media has seen to it that any time a portable computer is lost or stolen, the details of how many credit card or social security numbers were on it is a front page story. Of course, portable computers are assets that are tracked by enterprises. If an employee loses one, there tends to be a loss of productivity. I can just see a Dilbert cartoon coming:

Dilbert: “Hey Wally, why haven’t you responded to my emails?”
Wally: “I didn’t see them.”
Dilbert: “Why not? Don’t you check your email?”
Wally: “I lost my computer a few months ago so I haven’t been checking my email.”
Dilbert: “Three months ago? Why didn’t you call the help desk and get a new one?”
Wally: “I figured it would be easier to just wait for the hardware refresh cycle.”

So when a portable computer is lost or stolen, the enterprise hears about it. If the computer contains personal identifiable information (PII), the breach notification laws require customers to be contacted and a negative consequence occurs for the enterprise. Notice that the loss of PII may not in itself be a negative consequence to the enterprise. The cost of replacing credit cards is incurred by the banks. The cost of fraudulent purchases is incurred by the merchants. The individuals may incur costs associated with identity theft. The enterprise incurs costs because of the requirement to notify the individuals and admit the loss or theft. The banks and merchants may then sue them as is happening in the case of TJX.

Let’s go back to the handheld devices. If a PDA, phone, or memory stick is lost or stolen will the enterprise even know about it? Are these devices tracked as assets of the enterprise? Do employees report the loss or theft if the devices belong to them instead of the enterprise? In many cases, the enterprise will not know about the loss or theft and will likely not have any idea what information is on the device.

Does the enterprise want to know? That is not an easy question to answer. I’m sure that the enterprise wants to know if an event will impact the business. So a memory stick that includes secret designs, patent applications, or other trade secrets would interest the enterprise. Perhaps there are things that could be done after the fact to control or limit the negative consequences.

What if the information is PII? The negative consequences are going to occur to some other entity (banks, merchants, or the individuals). The negative consequences occur to the enterprise only if it knows that the information was lost when unencrypted. If the enterprise doesn’t track the devices and never learns that the device was lost or that it contained PII, then the enterprise can’t be expected to report it to the media or the individuals. If the PII is used to commit fraud or identity theft, will it be possible to follow the trail back to the lost device? Probably not.

So should enterprises track the use of handheld devices and memory sticks? Should the enterprise try to control them? Ethically, I think the answer is yes. Enterprises have a responsibility to protect sensitive information in their possession. However, from a risk management stand point, the decision may sometimes go the other way.