ECSC - UNRESTRICTED

SECURITY MANAGEMENT BRIEFING

iPad - The Risks To Your Business
This Briefing serves to outline some of the current risks of using Apples iPad for business use. Each risk is accompanied by some brief advice to assist in mitigation.. ECSC Management Briefings are, wherever possible, non-technical. They give you enough understanding to uncover technical weaknesses in the way your information security is being managed.
Executive Summary Since its release in April last year and the release of the iPad2 in March 2011, Apple has released figures detailing the total number of iPads sold to date exceeding twenty-five million. Whilst primarily aimed at consumers, the iPad has joined laptops and other mobile technologies in becoming an increasingly common business tool. In its default state, the iPad is not suitable for business use. You need to be careful that iPads are not being used in your business without you being aware. Employees might be using them to access on-line systems and uploading business data to them without your knowledge or authorisation. You need to add security features to ensure the iPad can be used for business purposes without introducing unnecessary risks to your information and systems. This paper outlines the current significant areas of risk, and the currently recognised solutions these solutions are not present by default. From a security perspective, the iPad is essentially no different from a laptop or desktop computer. When introducing it into your business steps should be taken to ensure that it complies with your organisations current security policies you may well require new security policies, procedures and technical standards to be developed to manage them effectively. You should also recognise that, as with any relatively new technology, new security threats will emerge quite rapidly. In addition, some of the commercial practices of Apple are making them a more direct target for hackers in the way Microsoft has historically been. Therefore, you should incorporate iPads into your security update procedures and include them in your ongoing vulnerability identification and mitigation processes. Mobile Device Management (MDM) The majority of security options for iPads are only available via Mobile Device Management (MDM) solutions provided by third-party server solutions. Via the use of MDM solutions, the iPad supports many of the usual security options one would expect to see in a device intended for business use. You put your organisation at risk if you fail to implement and enforce those security options in compliance with a clearly defined information security policy. The MDM enhancements fall into a number of features: Device Security - enforcing effective password usage. Data Security - encrypting data and enabling remote wiping of data. Network Security - ensuring communications cannot be intercepted. Application Security - controlling what software can run on the device. Although integration with Microsoft Exchange can add some security features to an iPad, it does not offer the range of security features of an MDM solution and therefore should not be regarded as a complete solution. As with other remote technologies, iPads should be configured to route all their traffic through the organisations security perimeter and associated protection layers - giving you better control and visibility.

ECSC - UNRESTRICTED

SECURITY MANAGEMENT BRIEFING

iPad - The Risks To Your Business
The table below summarises the main risks. Most mitigations detailed below can be facilitated through appropriate MDM solutions:
Risk Area Storage Encryption Risk Summary The iOS hard drive encryption is reliant on the users PIN/ passphrase. Commercial tools available to brute force this. The user has instant access to thousands of applications. Potential Mitigation Enforce long and complex passphrases. Educate users to report lost/stolen devices immediately, and implement emergency remote wiping. Although applications are approved by Apple - their primary consideration is not business security. You need to control and approve all applications on your business devices. Utilise a compulsory web proxy configuration within Safari, to enforce web browsing access control and auditing via your current web security gateway solution. Employ MDM to manage browser profiles and security settings. Enforce complex passwords in compliance with your IT security policy through an ActiveSync, or MDM profile. Also, make sure the clear password option is associated with an enforce password feature. Ensure that the values for auto-lock on idle match your organisations screen-saver auto-lock values and the grace period feature is disabled in compliance with your organisations security policy. Restrict application installation, and educate users on where data should be saved.

Uncontrolled Applications

Web Browser Security

Microsoft Internet Explorer security policies are not applied to the iPad.

Passwords

iPads do not allow for password based device locking, or provide password complexity options by default. Even with a password, an iPad can give extended access times before requesting a login.

Auto-lock

External Storage

Although the iPad doesnt support USB sticks, users may be using insecure on-line cloud services. Currently, these can only be applied if the iPad is connected to a PC or Apple computer.

Backups and Updates

With the arrival of iOS5, iPad users are expected to be able to perform over the air iOS updates, and backup their device to Apples iCloud service, which should be available in the Autumn. We expect future MDM solutions to offer backup to the corporate network. Configure iPads to use an always on VPN, to force all traffic leaving the device to be securely encrypted and sent to your corporate network, allowing for network access controls to be applied by your existing firewall.

Wireless

The iPad is dependent upon wireless technologies with no MDM options to restrict.

And finally, recent high-profile attacks against security vendors remind us that MDM providers may themselves be the target of future attacks. This should be factored into your continued risk assessment and remediation efforts.

ECSC Ltd 1 Valley Court Bradford West Yorkshire BD1 4SP Tel: +44 (0)1274 736223 Web: www.ecsc.co.uk Email: info@ecsc.co.uk
Reg No. 3964848, VAT No. 746361914 Copyright ECSC Ltd 2011
Security Management Briefings are published on a general basis for information only and no liability is accepted for errors of fact or opinion that it may contain. Professional advice should always be obtained before applying the information to any particular circumstances. ECSC Ltd cannot accept any liability for any action taken or not taken on the basis the content of Security Management Briefings.