EXPERT RESPONSE
The iPhone: good looks, cool features and now, with the launch of the latest version, it's even affordable. No wonder everybody wants one. Everyone, that is, apart from network and security managers. They're the ones tasked with trying to ensure security policies covering data loss and inappropriate use of devices aren't blown away by employees who see smartphones as a fashion accessory more than a networked communications device.
A lot of criticism from IT security professionals about the iPhone's lack of security stemmed from the device's readiness to let users connect to any nearby open access point. Combine this with a lack of tools to encrypt data on its hard drive, or to wipe it if it's lost or stolen, and you can see why the BlackBerry has been favored at the enterprise level.
When it comes to sending and receiving email, though, the iPhone offers some security. By default, the iPhone uses Secure Sockets Layer (SSL) encryption for POP, IMAP and SMTP, using the mail server's digital certificate to create an encrypted connection. To take advantage of the feature, though, one needs an account with a service that provides SSL-protected email accounts, such as AOL, Yahoo!, Gmail and .Mac. Another option is to switch to webmail and access email via a browser. Not every ISP, however, offers SSL-protected webmail access.
Even though version 2.0 of the iPhone software supports the 802.1x authentication protocol (WPA2 Enterprise), this only encrypts the connection between the iPhone and the Wi-Fi gateway. One way around the limited encryption is to connect to a public Wi-Fi network using a virtual private network (VPN). Doing so creates an encrypted tunnel -- something I'd recommend for any mobile worker. A VPN encrypts all data right through the gateway, all the way to a network endpoint. The iPhone now supports three types of VPN connections: L2TP, PPTP and IPsec. You can find several services that provide a VPN for a fee, such as WiTopia.net. One note of caution, though: VPN profile information stored on an iPhone isn't encrypted and can contain a VPN shared secret stored in the clear. Another drawback when using a VPN with the iPhone is that whenever a network transition occurs, the VPN must be restarted manually.
So far we've looked at protecting emails in transit, but if a message's contents are sensitive, they also need protection while they are stored on an iPhone. There still appears to be no file encryption capabilities on the new device. Many are confused over what is actually encrypted when syncing with ActiveSync, Microsoft's synchronization tool. Thankfully, the new iPhone can now securely wipe data from the device via the optional "Secure Empty Trash" setting, which also allows a remote wipe should the device be lost.
Security is difficult to make look cool, but the iPhone 2.0 software does offer some security improvements. If it really wants to displace the BlackBerry, then I'm sure Apple will soon add more security features. If the iPhone can match the BlackBerry for security, then its compatibility with ActiveSync may give it an edge. Although delivering email directly from an Exchange email server to an iPhone means opening up a network firewall, it also means that they aren't being routed through a network operations center's (NOC) servers, such as Research in Motion Ltd.'s NOC in Canada, which can be a single point of failure, as evidenced by the massive BlackBerry email outage in April 2007 and another outage in February 2008.
More information:
Ed Skoudis reviews how to maintain iPhone security in the enterprise.
Has the mobile malware threat been overblown?
|
