7 Steps to Stronger Enterprise iPhone Security
Which pieces of iPhone security advice should CIOs take to heart? Here are seven practices to insist on and three to ignore, according to Forrester Research.
Tue, August 03, 2010
CIO — Think iPhone security stinks? A new Forrester Research report finds that the iPhone and iPad are secure enough for most enterprises, including highly regulated ones.
Only a couple of years ago, iPhones weren't considered secure enough for the enterprise, especially compared to the more secure RIM BlackBerry. Much of that changed with the encryption capabilities of the iPhone 3GS and, later, iOS 4. Today, 29 percent of North American and European enterprises support the iPhone, according to Forrester.
That figure will continue to grow because Apple's (AAPL) improved security only lays the groundwork for iPhones and iPads to push even deeper into the enterprise. "By 2013, curating and managing the delivery of mobile applications, not securing the devices, will be the next frontier," writes Forrester analyst Andrew Jaquith in the report.
[ Goodbye BlackBerry: the future belongs to the iPhone, writes CIO.com's Tom Kaneshige. ]
So where does this leave the venerable enterprise BlackBerry? The iPhone has been battering at BlackBerry's enterprise stronghold, making particular advances among small and mid-sized businesses, say analysts. Now RIM faces another onslaught in the enterprise, this time at the doors of its popular BlackBerry Enterprise Server (BES).
Industry watchers have been calling for RIM to open BES to manage multiple mobile platforms. So far, RIM has kept a tight lid on BES. Microsoft (MSFT), on the other hand, has been more than accommodating with ActiveSync. Forrester expects ActiveSync will eventually become the BES-equivalent for Apple and Android devices.
Nevertheless, Apple can do more to secure iPhones and iPads for the enterprise. Forrester says Apple should redouble its efforts to fix coding flaws in its bootloader and Safari browser. The iPhone also falls short for enterprises requiring an extraordinary high level of compliance, such as no support for smart card authentication and certain encryption technologies (S/MIME and PGP).
Apple also received a blow recently when the U.S. Library of Congress ruled that people who "jailbreak" phones to add non-Apple approved apps should be exempt from prosecution. The ruling could lead to more jailbreaking and, as a result, more headline-grabbing exploits that damage the iPhone's image.
Even though enterprises will most likely write non-jailbreaking clauses into their IT policies, the threat is that conservative companies won't allow iPhones in the first place because they will have deemed them easily hackable.
For now, according to Forrester, there are seven security polices every iPhone-supporting CIO should follow:
1. Email Encryption a Must
iPhones and iPads can enforce email session encryption via ActiveSync. For more highly regulated industries, iPhones and iPads can use device certificates for stronger authentication to email, as well as VPNs and Wi-Fi networks, according to Forrester.