In our last post, on data security for partially-managed devices, I missed one option we need to cover before moving onto fully-managed devices:
User-owned device with managed/backhaul network (cloud or enterprise)
This option is an adjunct to our other data security tools, and isn’t sufficient for protecting data on its own. The users own their devices, but agree to route all traffic through an enterprise-managed network. This might be via a VPN back to the corporate network or through a VPN service.
On the data security side, this enables you to monitor all network traffic – possibly including SSL traffic (by installing a special certificate on the device). This is more about malware protection and reducing the likelihood of malicious apps on the devices, but it also supports more complete DLP.
Managed Devices
When it comes to data security on managed devices, life for the security administrator gets a bit easier. With full control of the device we can enforce any policies we want, although users might not be thrilled.
Remember that full control doesn’t necessarily mean the device is in a highly-restricted kiosk mode – you can still allow a range of activities while maintaining security. All our previous data security options are available here, as well as:
MDM managed device with Data Protection
Using a Mobile Device Management tool, the iOS device is completely managed and restricted. The user is unable to install unapproved applications, email is limited to the approved enterprise account, and all security settings are enabled for Data Protection.
Restricting the applications allowed on the device and enforcing security policies makes it much more difficult for users to leak data through unapproved services. Plus you gain full Data Protection, strong passcodes, and remote wiping. Some MDM tools even detect jailbroken devices.
To gain the full benefit of Data Protection, you need to block unapproved apps which could leak data (such as Dropbox and iCloud apps). This isn’t always viable, which is why this option is often combined with a captive network to give users a bit more flexibility.
Managed/backhaul network with DLP, etc.
The device uses an on-demand VPN to route all network traffic, at all times, through an enterprise or cloud portal. We call it an “on-demand” VPN because the device automatically shuts it down when there is no network traffic and brings it up before sending traffic – the VPN ‘coverage’ is comprehensive. “On-demand” here definitely does **not* mean users can bring the VPN up and down as they want.
Combined with full device management, the captive network affords complete control over all data moving onto and off the devices. This is primarily used with DLP to manage sensitive data, but it may also be used for application control or even to allow use of non-enterprise email accounts, which are still monitored.
On the DLP front, while we can manage enterprise email without needing a full captive network, this option enables us to also manage data in web traffic.
Full control of the device and network doesn’t obviate the need for certain other security options. For example, you might still need encryption or DRM, as these allow use of otherwise insecure cloud and sharing services.
Now that we have covered our security options, our next post will look at picking a strategy.
Reader interactions
7 Replies to “iOS Data Security: Managed Devices”
http://www.h-online.com/security/news/item/Apple-closes-numerous-security-holes-with-iOS-6-1713012.html
Dre-
No. They can’t. You have yet to *prove* your assertion that they are so easy to hack when properly configured. When myself or other commenters ask for said proof, you provide theory.
When I ask the companies that make money selling tools to crack these devices, they tell me where they fail.
I’m the one living in the real world. You are living in a paranoid delusion. By your standard we shouldn’t be using any technology. Want to crack a laptop? Use a cold boot attack or insert malware over DMA if it has firewire or thunderbolt. Or own it via email phishing. Or malware on a USB drive.
Prove to me that “iOS devices can be hacked instantly by anyone” when properly configured.
And if you search the archives, you will see that I was *against* previous versions of the iPhone being used in the enterprise due to the encryption weaknesses and ease of hacks. That isn’t true for current devices, and you have yet to prove otherwise other than linking to posts that *prove my own point* by showing the limits of current attacks.
Will they be hacked again? Absolutely- just like everything else. And then Apple will patch. And the cycle goes on. Right now the risk profile is very low based on the facts. Show me otherwise and I might rethink my position.
12 years ago, it was also “fine” to give every individual contributor and manager a Dell laptop running Windows ME and use their IE 5.5 to connect to “secure” web applications using SSL.
9 years ago, it was also risk-savvy to allow officers like CFOs to utilize a Thinkpad running Windows 2000 and connect to a Windows PPTP VPN over public WiFi.
However, the early 2000s taught us that unencrypted laptops carrying massive amounts of Sarbanes-Oxley, GLB, or PCI-DSS financial-related data while also connecting to applications that held data stores containing similar data was absolutely the worst idea in the history of safe/non-risky computing.
In the mid-2000s, we started to see the risk rise and nearly explode.
How, in a straight-face, can you recommend that these same businesses, with these same problems, use unencrypted iPads and iPhones running an insecure iOS and Obj-C runtime to store and connect to data stores with similar data in the year 2012?
I just don’t and can’t understand it. Criminal enterprises and hacktivists are salivating at this premise. It’s worm city, man. It’s game over.
It’s impossible to lock down an iOS device. It is impossible to encrypt an iOS filesystem. It is impossible to protect a “data protected store” on iOS. It is impossible to prevent apps from understanding what other apps’ data is available to the runtime and to execute whatever they want all over them on the iOS platform. This implicit risk is higher than ever before.
Which orgs is this fine for? Who is the ideal “work consumer” for iOS products? I just don’t see it. I’m not understanding what you are trying to say. It appears that you live in magic-faerie-happy-land where iOS devices can’t be hacked instantly by anything or anyone. But they can…
Sorry- we are weirdly getting double posts. I approved both to see what would happen.
Dre- there are levels of risk. Everyone has different needs. My opinion, as expressed in these posts, is that iOS is fine for the majority of orgs out there. If you are targeted as an individual by a sophisticated attacker? Probably not (although maybe you can still use it fully managed).
But once again I had a forensics firm tell me they can’t crack the latest hardware if it is properly configured. That’s good enough for me.
Again, I just want to reiterate (from the last comment I made in the previous post you have in this thread) that MDM or corporate “enforced” policies are anything but enforceable. A user-controlled device will always remain a user-controlled device. Even Apple gets this wrong!
Yep- I fixed.
I’ve actually seen this used outside of the one vendor I know you are thinking of, although it isn’t the most common technique. We may even add a version of it ourselves to encrypt traffic when we connect to wifi, but we won’t be filtering or otherwise monitoring the actual traffic.
Is it nicer to say “captive network” or “traffic backhauling”? That said, nice post, and definitely part of a strategy I’ve seen work, although the example that leaps to mind is actually a security products company.