by Tom Kaneshige

iPad Invades the Enterprise: How Big Are Security Risks?

Oct 29, 2010
Car TechConsumer ElectronicsData and Information Security

Enterprise IT has had no choice but to deal with iPads as they walk through the front door being carried by executives. But one mobile apps expert says the iPad wouldn't have passed last year's enterprise security requirements.

IT organizations have come to a stunning realization: There is no stopping the great iPad enterprise invasion. Risks abound as companies must deal with securing iPad apps without much help from Apple, says Julie Palen, senior VP of mobile device management at Tangoe, a telecom expense management software and services provider.

Palen’s group develops software that helps companies such as Wells Fargo and Coca-Cola manage BlackBerries, iPhones, Android devices and iPads—any devices connecting to a company’s back-end computing environment via Active Sync, BES and Good Mobile Messaging.

The iPad, in particular, has had a rapid rise in enterprise adoption. More than 65 percent of Fortune 500 companies are deploying or piloting the iPad, Apple said during its most recent earnings call. Around 60 percent of Tangoe’s new business deals in the last quarter involve companies that have already deployed iPads or are planning to do so.

But the iPad isn’t really enterprise ready, in terms of manageability and security, says Palen, a 10-year veteran of mobile device management. She says IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. talked with Palen about the iPad’s unique path to the enterprise and the resulting security questions.

Julie Palen, senior VP at Tangoe

What are some cool iPad projects?

Palen: We’re seeing a lot of companies in retail, medical and automotive putting business apps on iPads. iPads are a slick, cool way of interacting with the customer, and companies can leverage the iPad’s cool factor in the buying experience One cosmetic company is using iPads as point-of-sale devices in their retail stores in malls. The iPad shows complementary products that go well with a customer’s selection.

Similarly, on the automotive side, one of our customers is putting iPads into the hands of their sales reps out on the lots. The iPads show features that can be added to a specific car. A sales rep can do searches for the customer right on the spot. For instance, one of their other dealerships might have the specific car that the customer is looking for. If the customer has an iPad or iPhone, they can receive a notification when their car is ready, pay the bill online, and drive off with the car without having to deal with all of the paperwork.

Aren’t iPads difficult to manage and secure?

Palen: We automate the provisioning process of how the iPad connects to your back end data. We provide insight into that device: the OS, available memory, what apps are on it. The fact that I can push out apps to the iPad but can’t remove them is problematic for the enterprise. You have to either lock down iPads by restricting apps on the device to only those that you push—nothing from the App Store—or wipe devices.

On the other hand, unlike Android, iOS apps have to go through Apple’s certification process. So there is a level of security that apps aren’t going to create a whole bunch of issues on the devices or in the environment. That’s a big, big issue we see on the Android side.

Sounds dangerous. What is the worst case scenario?

Palen: The worst case scenario involves apps that are truly a Trojan Horse that slips through the cracks and becomes available on an iPhone or iPad that is connecting to back-end data, and then wreaks havoc on an enterprise by capturing keystrokes or credit card information.

But nobody is looking at this blindly. People are taking precautions to protect their data. And I believe Apple will provide more enterprise management capabilities in future releases.

Why isn’t this stifling iPad enterprise adoption?

Palen: With the iPad, IT organizations are folding under pressure. They had taken such a hard stance with security, and now they’re allowing iPads that really wouldn’t have met their requirements 12 months ago. There’s so much demand. They also see so many efficiencies that can be brought to bear [by the iPad] that they’re willing to deal with the risks.

What are the workarounds?

Palen: You’re probably not going to wipe an executive’s iPad. But one of the things that we do is integrate with Active Directory so that we know exactly who someone is in the organization. You can actually set up rules so that you could manage executives one way and other people a different way. You can also differentiate between a corporate device and an individually owned device.

We could do some things around VPN connections and not having apps residing on the device. Or we can have an icon that doesn’t have data residing on the device. We can control the iPad from a data perspective rather than the app itself. There are workarounds.

Apple has tiptoed around the enterprise for years. What’s it going to take to force Apple’s hand?

Palen: When Apple starts to see large volumes of iPads selling into the enterprise, and these iPads are locked down and users won’t be able to buy additional apps, that’s when Apple will start making it available for me to manage these apps.

Tom Kaneshige covers Apple and Networking for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline. Email Tom at