The numbers alone don’t tell the story. In 2011 Apple sold 315 million iOS devices (62 million in the fourth quarter alone). There are over 100 million iCloud users – using a service less than a year old. And these numbers are for Apple alone – never mind all the other mobile devices. Apple calls this the dawn of the “post-PC era”, and with numbers like those it’s hard to argue. Even Microsoft is in the midst of what is shaping up to be the largest change in their platform strategy since Windows, in an attempt to address this market.

These devices aren’t confined to the home. Survey after survey shows growing enterprise adoption of iOS, including major migrations off RIM BlackBerry and other business-centric smartphones – even aside from the tidal wave called iPad. The phrase “the consumerization of IT” appeared before the release of the iPhone, but no other vendor is doing as much to drive the adoption of consumer technologies into the enterprise as Apple.

In years past we in IT security served as the gatekeepers of new technologies in the enterprise. As much as we like to say we’re the last to find out about new tools and toys, mobility is one area where we have held tight control by limiting access to the network. But in the post-PC consumerization world we are losing our ability to stop the adoption of consumer technologies, even when they don’t support all our enterprise needs.

In a recent session at the RSA Security Conference I asked a group of 150 operational security professionals how many were under pressure to support non-BlackBerry devices. Nearly every hand in the room went up, almost universally to support iOS, and only a relatively small percentage had technical capabilities or policies in place to manage this transition.

And while there was some concern about the impact of these devices on the network, the universal concern was the safety of data.

The question is no longer if or when to allow these devices, but how to support non-PC computing platforms while safely protecting enterprise data.

To stay focused, this series will lay out options for protecting enterprise data on iOS, rather than talking about the myriad of other issues around mobile device management.

Why iOS and Not Android

Of course Apple isn’t single-handedly driving the consumerization of IT concept, but the numbers above (and a quick glance around the office) show that the company from Cupertino is clearly a major force. They have done more to alter the landscape of the smartphone and tablet markets than any other single provider. And, not coincidentally, we are asked more about securing iOS for the enterprise than any other platform.

Until recently BlackBerry was the dominant platform – largely because it was designed specifically to address enterprise needs. As a result most organizations are comfortable securing these tools. Some organizations also supported Microsoft and perhaps Palm, but one of those companies no longer exists and the other completely tossed out its platform to start fresh.

The real activity is with iOS and Google’s Android. But for a variety of reasons enterprises face more pressure to support iOS. Android-based tablets are not yet competitive or in wide use, and the fractured nature of Android phones and software versions makes it far easier to justify restricting those devices.

From a security perspective, iOS is also a stronger platform. While nothing is invulnerable, there is essentially no iOS malware and few known security breaches. The software ties strongly to the hardware and current versions are very difficult to hack. Android, by its more open nature, represents a greater security risk – as demonstrated by ongoing malware issues (still lower than PC levels, but much higher than iOS).

The main problem is that Apple provides limited tools for enterprise management of iOS. There is no ability to run background security applications, so we need to rely on policy management and a spectrum of security architectures.

We will focus on iOS because:

  • You already know how to manage BlackBerry.
  • Android isn’t mature or safe enough for us to endorse for enterprise use, and the fractured operating system levels make strategic management difficult.
  • Windows Mobile is not in widespread use and the Metro tablet platform is still in development.
  • Clients tell us they are under pressure to support iOS more than other platforms – especially the iPad.
  • Most of the options we will discuss also apply to other platforms – especially the latest version of Android (Ice Cream Sandwich, which isn’t widely available).

Information-Centric Security

We are focusing on data for this series, so we will take an information-centric approach. We won’t talk about network management or device restrictions that aren’t relevant to protecting data. But we will discuss managing the data even before it hits the device.

Previously I wrote the following principles of information-centric security:

  1. Information (data) must be self describing and defending.
  2. Policies and controls must account for business context.
  3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business contexts.
  4. Policies must work consistently through the different defensive layers and technologies we implement.

These sound a bit like the usual analyst mumbo-jumbo, but we do actually have the technologies to implement much of this today. In terms of managing data for mobility and iOS we can hit every one of those points except movement between structured and unstructured data.

Through the rest of this series we will show how to manage what data ends up on devices, how to protect it once it’s there, and how to build and manage policies to enable users without violating risk tolerances. To do this we will present a spectrum of options designed to satisfy different organizational needs; all of which are supported by existing products (some of which you probably already have).

Before we dig into the management options we need to spend a little time understanding how iOS works… which will be the next post.

And yes, this is the opening to a new blog series that will be converted into a white paper. In accordance with our Totally Transparent Research policy, this one is being sponsored by Watchdox but they don’t get to influence the content other than submitting public comments here on the blog like everyone else. Thanks to folks like them, taking the risk that I might write something bad about them, which enables us to give this away content free.