iPad Security Case Study: Are We There Yet?

Six months ago, the first iPad landed at the Bank of the Ozarks. Now there are nearly 20 company-owned iPads in employees’ hands, with plenty more on the way.

If Bank of the Ozarks, a 100-year-old community bank headquartered in Little Rock, Arkansas, decides to follow through on a bring-your-own-device program that will let personal iPads hook into the corporate network, the iPad floodgates will break wide open.

“This is just the tip of the iceberg,” says CIO Ron Kuykendall at Bank of the Ozarks. “The proliferation of iPads within our organization will increase significantly.”

While Bank of the Ozarks is in the early days of iPad adoption, the IS department has been working furiously for months behind the scenes to secure customer data on these mobile devices. Kuykendall and his team have run the gauntlet, from patching together temporary security solutions to drafting policies prohibiting certain consumer apps to even beta testing emerging security products.

Slideshow: 15 Ways iPad Goes to Work

Everyone frets about losing sensitive data on the iPad, but financial institutions built on consumer trust are especially worried. After all, customer data loss can quickly turn into customer dollar loss. If customer data on an iPad were to be compromised, and word of it got out, the bad press could ruin a bank’s reputation.

“What keeps me up at night is loss of consumer data, whether intentional or inadvertent,” Kuykendall says.

Kuykendall’s sleepless nights are about to get a whole lot worse, as more iPads flood the consumer and enterprise markets. Apple claims a record-breaking 3 million new iPads were sold the first weekend of its debut. UBS analyst Maynard Um predicts 12 million new iPad sales this quarter, if supply can keep up with demand.

iPad Sighting in the Ozarks

On the edges of this iPad pandemic lies Bank of the Ozarks.

The IS department needed to get a handle on security before iPad adoption spiraled out of control. This meant securing documents, either at rest or in motion, on the iPad. Bank of the Ozarks used various products and methods, such as SFTP file transfers, to ensure sensitive information was managed and stored on its network and servers.

In the world of the iPad, though, end users are in charge. A handful of Bank of the Ozarks iPad users began storing data in consumer apps and services such as Dropbox. “We actually had some users that were, um, testing that out, you can say,” says Steve Due, senior network engineer at Bank of the Ozarks. “We wanted to catch that up front and cut it off.”

In order to blacklist a popular consumer app, Bank of the Ozarks needed to offer an alternative to Dropbox that was just as easy to use. If the enterprise alternative is more complicated, iPad users will simply default to the consumer app despite policies telling them not to do so. (Bank of the Ozarks has a user policy that prohibits the use of certain consumer apps on the iPad.)

Bank of the Ozarks looked to an emerging app from GroupLogic, called activEcho, to be the alternative storage app on the iPad. It’s an enterprise file sharing product that integrates with Active Directory and supports secure file transfers, thus keeping data on Bank of the Ozarks servers and network.

But activEcho was still in beta, and CIOs traditionally shun new products and startups. In the fast-moving world of tablets and mobile computing, CIOs have to shed some of this thinking in order to keep up. Bank of the Ozarks spent three months as a beta tester.

A Sandbox Approach to Security

GroupLogic unveiled activEcho last week on the same day Quickoffice launched Quickoffice ProSelect HD, an iPad app that lets users work with Word documents, Excel spreadsheets and PowerPoint slides. The two apps are important because they work together to prevent data leakage on the iPad.

From the end user perspective, here’s how it works: A Bank of the Ozarks employee can launch activEcho on the iPad and gain access to, say, a Word document residing on the corporate network. But the only option to open the Word document is in Quickoffice, not any of the other Office-like iPad apps such as Pages, Office2 HD and Docs to Go.

Once inside Quickoffice, the employee can view and edit the document. When it comes time to save the document, the employee simply has the SaveBack Only option, whereby the file saves back to the original source, such as a Sharepoint access point behind the firewall. (Quickoffice ProSelect also doesn’t allow users to copy and paste outside the Quickoffice app.)

“We’re creating a virtual sandbox between cooperating vendors,” says Derick Naef, CTO of GroupLogic.

Slideshow: 15 Best iPhone Apps for Busy CEOs

CIOs such as Kuykendall must be willing to explore emerging security solutions during these heady days of mobility. But it’s important to note that not all tablets are created equal. Bank of the Ozarks currently does not support Android devices, which are much maligned for their security issues.

So far, Kuykendall likes what he sees on the iPad. He says, “activEcho is another bullet in the gun in our effort to control and implement strong security of consumer data.”

Tom Kaneshige covers Apple and Networking for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Tom at tkaneshige@cio.com