iPods, iPhones and the Enterprise Data Clampdown
It's rare that an enterprise IT department would let a worker bring in a personal notebook from home and tap into the company's main WiFi system without first insisting on a slew of device checks and configurations. However, iPhones and iPod touches in some ways have similar functions as notebooks. What's the best policy regarding them?
It's a safe bet that most enterprise employees don't haul their personal laptops into the workplace. However, with the ever-increasing capabilities of iPods and iPhones these days, are workers introducing new issues for IT security?
The Apple iPod touch now comes with a whopping 32 GB of storage space and built-in WiFi capable of attaching to nearly ubiquitous corporate wireless networks. The iPhone doesn't currently have as much storage space, but it too has WiFi. While most organizations should be running relatively secure wireless networks, is there still a security risk?
More importantly, what are the best policies and strategies? Is there a simple answer policy for a corporate IT department to implement in regard to iPods? There appear to be three options:
- No iPods anywhere in this office, no exceptions. Those things are the devil!
- Bring 'em on. iPhones, iPods and other personal media players pose no real risk. Sync them to your desktop, surf the Web on our network, whatever. Just remember to get your work done, too.
- The best policy lies somewhere in between ...
Try Option 3
"There isn't a technology in the world that doesn't present some sort of additional risk," Rich Mogull, an independent security consultant and publisher of Securosis.com, told MacNewsWorld.
"Right now, the risk of a network-connected iPod or iPhone is fairly minimal since it isn't really set up to allow downloading of large amounts of data locally. In fact, many organizations are even allowing remote access to internal Web-based applications over these devices," he said.
However, Mogull's general advice is to only allow managed devices on the network.
Ah, but What About Hacked iPods?
If employees have truly nefarious intent, it may be difficult to stop them from finding a way to steal corporate or customer data. A modified iPod or iPhone, it turns out, could be leveraged to inflict considerable pain and suffering.
"A WiFi-enabled iPod or iPhone is in every way equal to a notebook computer from a security standpoint. It can attach to the LAN (local access network), open file shares, remotely control computers using screen-sharing utilities, download gigabytes of data to take offsite, and once jail-broken, it can run a bash shell and virtually any hacker program in existence, including network scanners, cracking tools, and packet sniffers," Mel Beckman, a California-based system administrator and security expert, told MacNewsWorld.
Notebook computers, however, are used in the enterprise all the time, and increasingly with wireless networks. If modern iPods are essentially equal to notebooks in the need for security, how might they be any more problematic than a notebook?
"Alas, the iPod lacks several critical security features that are common to laptops like full-disk encryption -- especially hardware-based encryption using the Trusted Platform Module, which most business notebooks have today -- anti-virus and anti-phishing protection, and network access control (NAC) components that are becoming the enterprise standard for tapping into the corporate LAN," Beckman explained.
"The most sensible workaround I've seen is setting up a separate 'guest' WiFi network for iPods that sequesters iPods from the rest of the LAN. Of course, this limits the iPod's utility as an IT tool, but until the iPod has enterprise-class security features, I don't see how any organization can justify adhoc iPod access," he added.
It's More of a Storage Device Issue
While a WiFi-enabled iPod or iPhone might present issues to networks that aren't locked down, the bigger issue, Mogull says, comes from storage devices in general. A USB thumb drive can be just as problematic as an iPod.
"There is likely less risk of an iPhone -- because of the lack of local file management -- on the wireless LAN than connected to a laptop or a desktop where you can store larger amounts of data," Mogull said.
"My recommendation is to allow these devices to be used, unless you are in a high-risk, high-security industry, and to use Data Loss Prevention/Content Monitoring and Protection (DLP/CMP) to restrict what content can go onto 'any' portable storage device," he added.
Data Loss Prevention
DLP is also sometimes referred to as "Data Leak Prevention," and it's a set of policies and software/hardware solutions that run on end-user workstations or servers in enterprises that can identify and prevent data from being copied to external devices like iPods or thumb drives.
Rob Ayoub, industry manager of network security technologies for Frost & Sullivan, told MacNewsWorld that he's been seeing more companies take a closer look at determining which documents and materials their employees could walk away with.
"The higher security industries that have traditionally cared most about security have been the first to move in this area, and it's going to take time for the proper safeguards to be put in place in the rest of the world," Ayoub said, noting that most small and medium-sized businesses have yet to seriously address the issues with effective policies or safeguards.
Some companies have simply implemented no-tolerance policies that ban the devices from the office -- but those companies might also run into quality-of-life issues with their employees. Workers might resent having to leave their cell phones behind just because they happen to have WiFi. Given the ease with which one can stash a phone or iPod in a purse or pocket, many might flout such rules.
"It's like any other 'paper' policy ... without some sort of technology to enforce it, you're not going to get anywhere, and I think that's a big reason in why we're starting to see technologies in data leak prevention that really lock down the ports," Ayoub said.
"And depending on the company, they can go from keeping people from copying data ... to not even being able to plug a device into a PC at all," he explained.
"And the good side of DLP solutions is, with protections in place, employees can bring their devices in, listen to them at the office, and the company isn't worried that their employees are going to walk off with data -- and I think this is where most companies are headed," he added.