iPad Encryption & Security Efforts Lacking

A recent Sybase-SAP survey of 500 workers found that one third of employees have put company data at risk by sending work-related emails or documents to their personal email accounts and accessing the company intranet from remote locations.  One in four has conducted work-related email exchanges on a personal mobile device.  Even in the presence of policy, tools like this will be misused, unintentionally introducing significant risk to the company from interception, breach and disregard for regulatory compliance in the name of convenience and expediance.  I have no doubt that the employees’ intentions were good, but their choices were misguided.

The German-based tech giant SAP is currently beta testing a product that will allow it to send PGP-encrypted confidential email to its 7,000 iPad using employees.  Those employees will be able to decrypt the email messages using a Symantec viewer iPad app.  There remains a problem to be sorted out yet, however.  Employees won’t be able to send encrypted email from their iPads, at least not yet.  Apple’s current iPad email encryption capability literally goes only halfway to meeting this communication need.  It can handle email encryption to iPads but not from them.  Apple says full email encryption will be coming in iOS 5.  In the meantime, users are stuck with half of a solution.

Apple has been notorious for its slow reaction to security issues, mainly because of market penetration of the PC and Microsoft’s dominance.  Times, they are a-changing, and Apple had better get to adopting a stronger, more agile stance in this regard fast.  Microsoft has learned some hard lessons, and Apple would do well to learn from their competitors’ mistakes and successes.  The iPad and other mobile platforms are becoming standard fare for businesses and enterprises worldwide.  This is a success story that could shake the IT industry as we know it.  iPad is no longer just a consumer device.  iPads are pouring into the enterprise. After only 18 months on the market, iPads are now being deployed or tested at 86% of Fortune 500 companies, according to Apple’s most recent quarterly report.  Malicious attackers have historically targeted Microsoft Windows machines because they are prolific and contain valuable and profitable data.  With iPads taking the place of laptops and iPhones supporting a similar function in medical, legal and even the financial industries, much of the attention of attackers will soon be diverted elsewhere.

Malware purveyors are plying their trade with increasing frequency.  The rate of malware attacks more than doubled in the second quarter this year to 287,298 unique instances in June, according to Cisco’s quarterly threat report released this week.  A company faces an average 335 encounters every single month!  Researchers are discovering and announcing serious vulnerabilities in Apple’s IOS, demonstrating that Apple hasn’t fallen as far from the other tech platform tree as their fan-boys would have you believe.  It’s all just software, and anybody’s software can continue weaknesses.

Apple has been showing some signs of recognition of the enterprise security message, and missed the mark on others.  They did release iOS 4.3.4 in July to patch a PDF vulnerability.  Just a week and a half later, Apple released iOS 4.3.5 that fixed a certificate validation vulnerability.  Apple has also recently released a kind of virus scanner for the devices, and got a taste of how quickly malware authors can turn the tables.  A new physical cover for the iPad 2 offers the capability to lock the device upon closure, however it also UNLOCKS the device automatically when opened.  This could have provided additional security functionality that may have reduced the requirement to lock down the timeout value associated with idle time if it was given sufficient forethought.  Instead, it offers convenience features at the expense of security.  I sincerely hope that Apple and 3rd party vendors will focus on this emergent platform and provide good, robust and reliable security tools to keep the data that these devices access and share, secure from theft and unauthorized interception.