Protecting Sensitive Business Data on the iPad

The Apple iPad is coming, and--thanks primarily to the iPhone revolution--it is guaranteed to break out of its consumer-oriented shackles and start showing up at work. A quote from Star Trek: The Next Generation comes to mind: "Resistance is futile." Your business data will be assimilated.

Despite the fact that Apple has targeted the tablet as a consumer-oriented device built for media consumption, emerging polls suggest that leading reason that consumers want the iPad is specifically for work, with media consumption and game playing not far behind.

Why not? Notebook computers are heavy and unwieldy by comparison. The iPad is perfectly capable of performing most business tasks that roaming workers need it to, and it can do it on a device that is intuitive and instant-on. It delivers a multitouch interface with 10 hours of battery life on a device that can is functional even one-handed.

Andrew Storms, Director of Security Operations for nCircle, emailed to share his thoughts on the iPad in the enterprise. "The biggest question I have about the iPad concerns how it will be used. Either people will use it as a laptop replacement or they will use it as supplementary tool in a few specific situations."

Storms clarified his concerns "This has everything to do with what kind of data ends up on the device and that's the real concern for enterprise security. How enterprises treat the iPad from a policy perspective depends completely on what kind of data is on the device."

Businesses and IT administrators have reason to be concerned, too. At the CanSecWest conference in Vancouver this week, a pair of security researchers was able to compromise a fully-updated iPhone 3GS in a matter of seconds--accessing the data contained on the hacked iPhone. The iPad is built on the same iPhone OS that was hacked.

Bradley Anstis, vice president of technical strategy for M86 Security, agrees that there are some serious questions to be answered about protecting confidential or sensitive company data on a device like the iPad. Anstis commented via e-mail to warn "It has a cool factor so expect senior executives to force it on IT to support this new device, or simply start using them in their corporate infrastructures."

Anstis recommends that IT admins consider the possible ramifications of the iPad and how to protect data on it. Businesses should define acceptable use for Web browsing with the device.

Anstis explains "If the iPad is using the corporate Wi-Fi to access the Web, then this should be controlled by company's current Web security technology, but what about Web surfing via the iPad's 3G connection, that goes nowhere near the corporate infrastructure?"

By default, users with iPads will want to sync up basic information like e-mail, contacts, and calendar events. Users may also store files on the iPad, and the company needs to determine how that information will be protected.

The iPhone has presented many of the same concerns--again, the two devices use the same iPhone OS. The difference is that the iPhone--while it is a smartphone capable of much more than placing phone calls--is still too small to do much else from a practical perspective. The iPad represents a shift in how the iPhone OS will be put to use.

Whether or not Apple steps up with more business-friendly security controls for the iPad, they will almost certainly exist. The iPad will be used as a business tool and companies have to protect data, so there will have to be apps and tools that accomplish that.

M86 Security's Anstis points out one other sticky area for business use of the iPad. "If a device is supplied by the business, then you can reasonably expect that business to install security and control software on the device, but what about devices that are supplied by the employee? Also, who pays for the 3G connection? How can a company force control over 3G acces in the workplace if it doesn't pay for it?"

Those are very valid questions when it comes to protecting corporate data. The business has an obligation--and possibly even a compliance mandate--to protect data, but doesn't legally have control over employee-owned equipment. Ensuring that data on the iPad is encrypted, or otherwise protected could be an uphill battle.

Tony Bradley is co-author of Unified Communications for Dummies . He tweets as @Tony_BradleyPCW . You can follow him on his Facebook page , or contact him by email at tony_bradley@pcworld.com .

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon