I bought an iPhone 4 last week. It has 32 GB of memory, nearly as much as my two and a half year old Windows notebook. It does a lot of cool things and as Steve Jobs would say, it is “insanely great”. Now having said that, one of the reasons I got the device was to better understand the ecosystem. Part of this assessment is an understanding of the information security issues.
The short answer is that the iPhone is not a very suitable enterprise class device, mostly because of security issues. If I was a CIO for a large corporation I would not support the device unless I was prepared to make a significant investment in multiple layers of security and information protection around the applications I intended to support. Perhaps more significant is the fact that Apple has no intention of making the device enterprise capable. When they can’t meet the demand from the consumer segment, why would they bother with all the headaches of making the device enterprise ready?
In some sense the orientation that Apple has towards the enterprise creates opportunity for some businesses to address this enterprise gap, or more specifically the information security gap. The opportunity is created because people want to use iPhones for work processes. An example in the healthcare industry segment is a doctor using an electronic health record on his or her iPhone. A more general example would be using Microsoft’s SharePoint document collaboration system.
There are several things to consider from an information security perspective to make usage of the iPhone feasible. First you would want to use a web application. This allows the end user to bring up the application in Safari without requiring users to have to download the app from iTunes. Unless you jail break the device, Apple forces customers to use iTunes as the application broker. Clearly as an enterprise system you wouldn’t want to rely on jail breaking devices nor would you want to use iTunes. Additionally, I would recommend consideration of security investment in several other areas, including:
• Two factor authentication
• Policy-driven authorization
• Digital rights management around the information in the system
• Encryption for data in transit, at rest and in use by the application
• Event management of the infrastructure and applications
• Risk based behavioral analytics of the business process transactions aimed at defeating malicious insiders and advanced attack teams
It should be apparent that this is no small undertaking for an enterprise. Maybe, the good old Blackberry might look more attractive.