iPhone encryption is a must for the security-conscious enterprise

Apple is advertising the iPhone 3G as something that consumers can use at work. IT managers with high security requirements beg to differ. They want full device encryption and centralized policy enforcement before they'll even let one in the building.

In one of Apple's most recent television advertisements for the iPhone 3G, a voice tells consumers: "It works great with work."

That's true. The Exchange ActiveSync available with the new iPhone gives users access to email, calendaring and contacts management, and that's just what many consumers need. Some IT managers feel the same way. The physical engineering of the device, its superior browser and the new syncing capabilities with Exchange have many CIOs deciding the iPhone is ready for an enterprise deployment.

Many companies with higher security requirements say, however, that the iPhone just isn't secure enough. In particular, the lack of full device encryption is a deal breaker.

"I think Apple needs to address this to really get the iPhone into the corporate market," said Al Berg, global head of security for Liquidnet, a New York-based financial company. Liquidnet specializes in facilitating online institutional equities trading for asset management firms. Berg said his company's customers expect anonymity. Without encryption, he just can't guarantee that.

"Let me say, I'm an iPhone fan," Berg said. "But the problem is Apple has left off the on-device encryption. So if the device is lost, yes, we can remote wipe it. But there is that moment in time between when the device is lost and when it gets reported and when it gets wiped, and we're just not comfortable with that."

The software development kit (SDK) that Apple released for the iPhone allows third-party developers to encrypt individual applications, it does not allow those developers to build tools that encrypt the whole device.

Kathryn Weldon, principal analyst with Current Analysis, isn't sure why Apple hasn't made full device encryption possible on the iPhone.

"But, in general, Apple is still concentrating on the consumer business and will eventually update the SDK to accommodate more serious enterprise adoption," she said.

In the meantime, Apple continues to advertise to consumers with the message that the iPhone is just right for use on the job.

[Apple] had better open up the SDK for full device encryption if they want to be taken seriously as a business device. It's not optional.
Jack Gold
PresidentJ. Gold Associates

"That's the problem I have with Apple," said Jack Gold, president of consultancy J. Gold Associates. "Apple thinks that if I have ActiveSync and can sync with Exchange, I'm done. And yes, that's a small part of the problem. Very few users can get by without having connectivity to email. But beyond that, it's security and access."

Repeated messages left with Apple requesting comments for this story went unanswered.

There are various reasons why Apple might be slow to enable full device encryption on the iPhone, Gold said. Since it is focused on the consumer market, Apple probably doesn't see encryption as necessary. Encryption can also be a power-hungry application that can zap a battery, he said -- something of special concern to iPhone users who can't swap in a backup battery in the middle of the day.

Then there is the lack of centralized security management tools for the iPhone. Without such tools, IT organizations have no way of enforcing encryption policies anyway.

Regardless, many enterprises just can't turn a blind eye to the lack of encryption. And it's not just financial institutions. Gold said that any organization subject to regulations of any kind will need encryption and other robust secure management features.

"It's a big deal, especially in regulated industries like banking," Gold said. "And it has to be enforceable. The IT guy needs to be able to say: 'You can't get around [an encryption policy]. You have to do it.' Today, [that] is impossible on the iPhone."

Encryption isn't perfect, according to Gold. There are ways around it for the determined hacker. "But I'd rather have it and force someone to hack me than not have it at all and give [sensitive data] away for free."

More on iPhone in the enterprise
Contrasting iPhone vs. Android

 

3G iPhone pilot: CIO ready to dump his Windows Mobile smartphones

iPhone secrity in the enterprise: Mitigating the risks

At Liquidnet, the majority of the company's 377 employees are equipped with mobile devices. Berg said the company encrypts those devices using Motorola Good Technology Group's GoodLink security platform, which enables his IT organization to configure security and encryption requirements centrally across multiple devices. It relies on the native encryption capabilities of the devices.

"In this day and age, that's how encryption should be," Berg said. "We should not have to add on a piece of third-party software. That should be something that's native to the device."

"I think it shows a disconnect between whoever was designing the software for the iPhone and the corporate market," he said. "We're seeing more and more Apple products in the enterprise. But they haven't yet made the commitment to make an enterprise phone or an enterprise desktop. It's a shame."

Many enterprises are looking for encryption in the iPhone, Berg said, but until Apple delivers it, he'll continue to say no to the iPhone in his company. "I'm not the most popular guy at my company right now for saying, 'No, you can't use it.' "

"[Apple] had better open up the SDK for full device encryption if they want to be taken seriously as a business device," Gold said. "It's not optional. I could never see a large enterprise that's security conscious deploying this device. It's just too risky."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig deeper on Mobile Authentication and Encryption

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchConsumerization

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close