iPad security for the enterprise still subject to debate

Apple's tablet has a Cisco VPN, but that's not widely known

Whether the iPad is secure enough for enterprise use is debatable, based on a survey of several analysts and experts.

Some analysts say that with tougher data protection laws, such as one that recently took effect in Massachusetts, the iPad deserves an F for security readiness for financial services companies and businesses in other federally regulated industries.

But that view contrasts with the opinion of other security professionals who give the iPad a grade of B for overall enterprise readiness. One of them, Wolfgang Kandek, chief technology officer at security firm Qualys Inc., predicted today that "the iPad will make its inroad into the enterprise just by force of users, and it's going to be a really interesting conundrum for IT managers. I don't think the iPad is ready today, but it will make its way into the enterprise even as it clashes with the typical enterprise IT mentality."

The iPad will come crashing into the enterprise in the hands of average workers, the same way the iPhone did, Forrester Research Inc. analyst Ted Schadler said in an earlier blog.

Some information about the iPad's security features is apparently not well known, so some of the concerns about the device might not be warranted. For example, some industry analysts interviewed today were unaware that the iPad ships with a native IPSec VPN from Cisco Systems Inc. One analyst said there is wide speculation on the Web that a third-party VPN would not be supported, calling into question whether data transmissions would be secure.

However, the Cisco IPSec VPN can be found in the iPad, along with a section to make settings for other L2TP and PPTP VPNs. All three are located under the setting icon and then under "networks" and likely require information from system administrators to be fully configured.

Even with the VPN for creating a tunnel to send data securely from place to place, analyst Jack Gold of J.Gold Associates questioned whether encrypted data stored on the iPad would be safe from hackers.

Gold said some experts have demonstrated the ability to hack certain versions of the iPhone, which contains earlier versions of the operating system used in the iPad and also provides data encryption.

"Some of that encryption can be worked around, which means the iPad gets an F from any regulated corporation that must protect data," Gold said.

Gold said IT managers may be unaware of the stiff new Massachusetts data protection law that affects businesses working in the state and requires encryption of data on all kinds of devices.

Perhaps the iPad's encryption would be sufficient to meet the conditions of the new law, but Gold said the iPad's vulnerability to the same kind of hacks used to penetrate the iPhone suggests otherwise.

Regarding that related iPhone security, Gartner Inc. published a research note in February stating that early versions of the iPhone were vulnerable to jailbreaks. Even Apple's iPhone OS 3.1.3 update, which includes firmware revisions for late-model iPhone 3GS devices, could be vulnerable to "hackers [who] may discover new access methods," the note said.

The iPad, which runs Apple's iPhone OS 3.2, presumably has the same firmware updates provided in Version 3.1.3. Later in the same note, Gartner said that the iPhone 3GS also has embedded 256-bit AES hardware encryption that can't be turned off -- but data is still vulnerable if the device is jailbroken or otherwise hacked.

The note also includes a series of tips for iPhone security in the enterprise, which Gartner analyst Ken Dulaney said would also apply to the iPad. The tips include some fairly standard measures such as enforcing use of passcodes and using complex passcodes, locking the device after a maximum number of password retries, enforcing device timeout to prevent theft of data when a device is left unused, select disabling of YouTube, App Store and iTunes, preventing capture of screenshots, and installing certificates for VPN use.

Despite Apple's updates and the inclusion of the Cisco VPN, Dulaney said Gartner concludes that the iPad is "not enterprise-ready... and Apple would have no problem with Gartner saying this was not enterprise-ready."

"We don't endorse use of netbooks, and the iPad is in the same category," Dulaney added. "We don't think it has the security and manageability capabilities for offline applications and, more importantly, the support of Apple for the enterprise."

Even so, Dulaney said he knows that some companies will support the iPad, just as they have the iPhone, including companies that want to project a high-tech image. He also said a variety of companies will develop iPad applications for their customers, the same way some banks avoided using the iPhone internally at first but also built iPhone banking applications for their customers.

Dulaney also noted that supporting corporate e-mail via the iPad will be no different than it is with the iPhone. "It works... and the security enforced by [Microsoft] Exchange is sufficient," he said.

In general, Dulaney expects some large business to support iPad applications "just because there is enthusiasm to support them. They will break their rules for security and manageability, but it is their right to do that."

Tablet computers are best suited for workers who spend much of the day on their feet, away from their desks, Dulaney said. For any company wanting to design a touch-screen application for businesspeople, he recommended a Windows 7 tablet instead of the iPad, since it is part of a mature and well-tested market.

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen, or subscribe to Matt's RSS feed. His e-mail address is mhamblen@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon