The numbers alone don’t tell the story. In 2011 Apple sold 315 million iOS devices (62 million in the fourth quarter alone). There are over 100 million iCloud users – using a service less than a year old. And these numbers are for Apple alone – never mind all the other mobile devices. Apple calls this the dawn of the “post-PC era”, and with numbers like those it’s hard to argue. Even Microsoft is in the midst of what is shaping up to be the largest change in their platform strategy since Windows, in an attempt to address this market.
These devices aren’t confined to the home. Survey after survey shows growing enterprise adoption of iOS, including major migrations off RIM BlackBerry and other business-centric smartphones – even aside from the tidal wave called iPad. The phrase “the consumerization of IT” appeared before the release of the iPhone, but no other vendor is doing as much to drive the adoption of consumer technologies into the enterprise as Apple.
In years past we in IT security served as the gatekeepers of new technologies in the enterprise. As much as we like to say we’re the last to find out about new tools and toys, mobility is one area where we have held tight control by limiting access to the network. But in the post-PC consumerization world we are losing our ability to stop the adoption of consumer technologies, even when they don’t support all our enterprise needs.
In a recent session at the RSA Security Conference I asked a group of 150 operational security professionals how many were under pressure to support non-BlackBerry devices. Nearly every hand in the room went up, almost universally to support iOS, and only a relatively small percentage had technical capabilities or policies in place to manage this transition.
And while there was some concern about the impact of these devices on the network, the universal concern was the safety of data.
The question is no longer if or when to allow these devices, but how to support non-PC computing platforms while safely protecting enterprise data.
To stay focused, this series will lay out options for protecting enterprise data on iOS, rather than talking about the myriad of other issues around mobile device management.
Why iOS and Not Android
Of course Apple isn’t single-handedly driving the consumerization of IT concept, but the numbers above (and a quick glance around the office) show that the company from Cupertino is clearly a major force. They have done more to alter the landscape of the smartphone and tablet markets than any other single provider. And, not coincidentally, we are asked more about securing iOS for the enterprise than any other platform.
Until recently BlackBerry was the dominant platform – largely because it was designed specifically to address enterprise needs. As a result most organizations are comfortable securing these tools. Some organizations also supported Microsoft and perhaps Palm, but one of those companies no longer exists and the other completely tossed out its platform to start fresh.
The real activity is with iOS and Google’s Android. But for a variety of reasons enterprises face more pressure to support iOS. Android-based tablets are not yet competitive or in wide use, and the fractured nature of Android phones and software versions makes it far easier to justify restricting those devices.
From a security perspective, iOS is also a stronger platform. While nothing is invulnerable, there is essentially no iOS malware and few known security breaches. The software ties strongly to the hardware and current versions are very difficult to hack. Android, by its more open nature, represents a greater security risk – as demonstrated by ongoing malware issues (still lower than PC levels, but much higher than iOS).
The main problem is that Apple provides limited tools for enterprise management of iOS. There is no ability to run background security applications, so we need to rely on policy management and a spectrum of security architectures.
We will focus on iOS because:
- You already know how to manage BlackBerry.
- Android isn’t mature or safe enough for us to endorse for enterprise use, and the fractured operating system levels make strategic management difficult.
- Windows Mobile is not in widespread use and the Metro tablet platform is still in development.
- Clients tell us they are under pressure to support iOS more than other platforms – especially the iPad.
- Most of the options we will discuss also apply to other platforms – especially the latest version of Android (Ice Cream Sandwich, which isn’t widely available).
Information-Centric Security
We are focusing on data for this series, so we will take an information-centric approach. We won’t talk about network management or device restrictions that aren’t relevant to protecting data. But we will discuss managing the data even before it hits the device.
Previously I wrote the following principles of information-centric security:
- Information (data) must be self describing and defending.
- Policies and controls must account for business context.
- Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business contexts.
- Policies must work consistently through the different defensive layers and technologies we implement.
These sound a bit like the usual analyst mumbo-jumbo, but we do actually have the technologies to implement much of this today. In terms of managing data for mobility and iOS we can hit every one of those points except movement between structured and unstructured data.
Through the rest of this series we will show how to manage what data ends up on devices, how to protect it once it’s there, and how to build and manage policies to enable users without violating risk tolerances. To do this we will present a spectrum of options designed to satisfy different organizational needs; all of which are supported by existing products (some of which you probably already have).
Before we dig into the management options we need to spend a little time understanding how iOS works… which will be the next post.
And yes, this is the opening to a new blog series that will be converted into a white paper. In accordance with our Totally Transparent Research policy, this one is being sponsored by Watchdox but they don’t get to influence the content other than submitting public comments here on the blog like everyone else. Thanks to folks like them, taking the risk that I might write something bad about them, which enables us to give this away content free.
Reader interactions
7 Replies to “Defending Enterprise Data on iOS: Introduction”
Rich,
I suspect that for the majority of iTunes backups, the encryption passphrase is in the user’s keychain (at least on Macs — dunno what iTunes/Win does with them). I’m certain very few Mac users enter their passphrase on every backup, and the Mac keychain is normally unlocked while the user is logged in.
The general point is that users may not think to secure their desktops/laptops thoroughly, and are unlikely to realize this makes their iPhones/iPads (including keys and data) vulnerable as well.
I assume all the non-data-protection data is totally exposed, so no argument there.
I did just read a (non-public, yet) paper from a forensics firm that reinforces the position that a good passphrase and data protection are pretty solid. Actually, encrypting iTunes backups turns out to be better protection than I realized as well.
Again, not saying this is perfect. And plenty of people will use weak pass codes or incorrectly configure their devices. But the tools are there to do a decent job of reducing risk in non-top-secret environments.
Sogeti has developed and released a technique/tool that not only breaks simple (and even some complex!) passcodes for the iOS Data Protection, but also grabs the “EMF!” and “Dkey” encryption keys, which can be used to decrypt the unprotected files on the filesystem regardless if a strong passcode is bruteforced or not.
iphone-dataprotection.googlecode.com
Read up on how Data Protection works. It isn’t military grade, but even Elcomsoft won’t work if a good strong passcode is used. Only parts of the system are protected, as I’ll go into in a post that’s about to go up and cover later.
Blackberry is still stronger since it will wipe if there’s a brute-force attempt via USB, but for the average org there’s no reason to not use iOS if they properly config data protection and pass codes.
(Until the next vuln)
Yar — “Emergency SSH access using a pwn’d DFU mode RamDisk”.
And if you’re LE/Military, then you can get EIFT — http://elcomsoft.com/eift.html
In this case, the monoculture of a single charging-and-synching strategy has definitely worked out of favor for iOS. Juicejacking is a much more immediate threat to iOS than Android, especially at hotels during major tech conferences.
Dre- all the research I’ve seen supports using iOS if data protection is enabled. Even DFU should be safe if a good passcode is in place. Dino did a bunch or research on this recently.
You have something I’m missing to the contrary?
iOS is not a great platform for storing sensitive company email and docs. It’s not even an averagely ok platform for this.
Let’s face it — Apple and iOS-device hardware encryption providers have failed to provide anything near as fancy, intuitive, or secure as the litigation-support-friendly McAfee Endpoint Encryption (or similar), let alone military-grade security commonly found in DoD-approved Android devices.
If you can DFU-mode an iOS device, it’s simply game over.
Also — thanks for the mention of iCloud, which will certainly be another point of contention for iOS security in both the short and long term.