7 Steps to Stronger Enterprise iPhone Security

Which pieces of iPhone security advice should CIOs take to heart? Here are seven practices to insist on and three to ignore, according to Forrester Research.

Think iPhone security stinks? A new Forrester Research report finds that the iPhone and iPad are secure enough for most enterprises, including highly regulated ones.

Only a couple of years ago, iPhones weren't considered secure enough for the enterprise, especially compared to the more secure RIM BlackBerry. Much of that changed with the encryption capabilities of the iPhone 3GS and, later, iOS 4. Today, 29 percent of North American and European enterprises support the iPhone, according to Forrester.

That figure will continue to grow because Apple's improved security only lays the groundwork for iPhones and iPads to push even deeper into the enterprise. "By 2013, curating and managing the delivery of mobile applications, not securing the devices, will be the next frontier," writes Forrester analyst Andrew Jaquith in the report.

[ Goodbye BlackBerry: the future belongs to the iPhone, writes CIO.com's Tom Kaneshige. ]

So where does this leave the venerable enterprise BlackBerry? The iPhone has been battering at BlackBerry's enterprise stronghold, making particular advances among small and mid-sized businesses, say analysts. Now RIM faces another onslaught in the enterprise, this time at the doors of its popular BlackBerry Enterprise Server (BES).

Industry watchers have been calling for RIM to open BES to manage multiple mobile platforms. So far, RIM has kept a tight lid on BES. Microsoft, on the other hand, has been more than accommodating with ActiveSync. Forrester expects ActiveSync will eventually become the BES-equivalent for Apple and Android devices.

Nevertheless, Apple can do more to secure iPhones and iPads for the enterprise. Forrester says Apple should redouble its efforts to fix coding flaws in its bootloader and Safari browser. The iPhone also falls short for enterprises requiring an extraordinary high level of compliance, such as no support for smart card authentication and certain encryption technologies (S/MIME and PGP).

Apple also received a blow recently when the U.S. Library of Congress ruled that people who "jailbreak" phones to add non-Apple approved apps should be exempt from prosecution. The ruling could lead to more jailbreaking and, as a result, more headline-grabbing exploits that damage the iPhone's image.

Even though enterprises will most likely write non-jailbreaking clauses into their IT policies, the threat is that conservative companies won't allow iPhones in the first place because they will have deemed them easily hackable.

For now, according to Forrester, there are seven security polices every iPhone-supporting CIO should follow:

1. Email Encryption a Must

iPhones and iPads can enforce email session encryption via ActiveSync. For more highly regulated industries, iPhones and iPads can use device certificates for stronger authentication to email, as well as VPNs and Wi-Fi networks, according to Forrester.

The iPad, iPhone 3GS and iPhone 4 also all support hardware device encryption—a required feature for many enterprises. Apple's mail app also supports application-level encryption in iOS 4.

2. Stolen iPhone? Wipe It

Be ready to turn a lost or stolen iPhone into a brick using "crypto-shedding," which lets an enterprise remotely wipe out the data on an iPhone 3GS or iPhone 4 in less than a second, according to Forrester. Actually, this method doesn't wipe out data, rather it overwrites the encryption key, thus rendering data unreadable. Remote wipe works via tools in Exchange and MobileMe.

3. Password Lock

Require users to lock their iPhones with a password that uses numbers and characters, not just a simple PIN number such as 1111 or 1234. For more highly regulated enterprises, Forrester recommends a seven-character alphanumeric password that also requires special characters.

4. Autolock After 15 Minutes

Many enterprises require 15-minute inactivity time-outs, while others set the lockout at 30 minutes to free up productivity, according to Forrester. Neither really matters for iPhone 3GS users because the iPhone 3GS auto locks after a maximum of five minutes. (iPhone auto-lock is required when you add an Exchange email account.)

5. Failed Password Attempt Policy

Forrester advises companies to configure the iPhone and iPad so that they automatically wipe after several failed unlock attempts. One high security level calls for a six-digit passcode (not just a simple PIN) and policy that autowipes the phone after four wrong guesses.

6. Configuration Profile Under Lock and Key

IT managers should protect the mobile configuration profile with a password. This ensures that users can't remove the profile unless they wipe the device clean to factory defaults, Forrester says.

7. Continuously Refresh Policies

Forrester recommends using ActiveSync to continuously enforce policies. ActiveSync can automatically refresh policies for passwords and autolocking when iPhones connect to the server, Forrester says.

Beyond these seven security practices, companies can up their security measures with tough IT policies (although at the risk of upsetting users). Enterprises can prohibit non-approved apps, block the use of the iPhone camera, require disablement of the screen-capture feature, restrict (or prevent) the use of YouTube app and browser, among others.

On the flip side, there are security "red herrings" that a CIO doesn't need to worry about, says Forrester. Here are three of them:

1. Don't Waste Money on iPhone Antivirus and Host Firewall Software

Shouldn't every device tapping your network run antivirus, host intrusion prevention and a host firewall? Nope, says Forrester. "The combination of Apple's code-signing system, sandboxing and its curated App Store eliminates the threat of malicious mobile codes for the foreseeable future," Jaquith writes. "Moreover, the devices don't listen on any open network ports, making a firewall unnecessary."

2. Data Leak Prevention? Fuggetaboutit

You don't need data leak prevention (DLP) on smartphones, says Forrester. But if you must, then deploy DLP on email servers instead of the actual devices.

3. USB Still Easier for Stolen Documents

Are you worried that the iPhone or iPad might be used as a document-stealing device, like a USB thumb drive? Sure, there's document syncing between an iPhone/iPad and PC (although PC software can be used to block transfers). "That said, employees intending to steal documents will seek less convoluted methods that smuggling them out on their iPads," Jaquith writes. "Using Web mail sites, posting to DropBox, or copying to uncontrolled USB sticks is much easier."

Tom Kaneshige covers Apple and Networking for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline. Email Tom at tkaneshige@cio.com.

Copyright © 2010 IDG Communications, Inc.

Discover what your peers are reading. Sign up for our FREE email newsletters today!