iPhone encryption is a must for the security-conscious enterprise

By Shamus McGillicuddy, News Editor 06 Aug 2008 | SearchMobileComputing.com

Mobile advice Digg This!     StumbleUpon     Del.icio.us

That's true. The Exchange ActiveSync available with the new iPhone gives users access to email, calendaring and contacts management, and that's just what many consumers need. Some IT managers feel the same way. The physical engineering of the device, its superior browser and the new syncing capabilities with Exchange have many CIOs deciding the iPhone is ready for an enterprise deployment.

Many companies with higher security requirements say, however, that the iPhone just isn't secure enough. In particular, the lack of full device encryption is a deal breaker.

"I think Apple needs to address this to really get the iPhone into the corporate market," said Al Berg, global head of security for Liquidnet, a New York-based financial company. Liquidnet specializes in facilitating online institutional equities trading for asset management firms. Berg said his company's customers expect anonymity. Without encryption, he just can't guarantee that.

"Let me say, I'm an iPhone fan," Berg said. "But the problem is Apple has left off the on-device encryption. So if the device is lost, yes, we can remote wipe it. But there is that moment in time between when the device is lost and when it gets reported and when it gets wiped, and we're just not comfortable with that."

The software development kit (SDK) that Apple released for the iPhone allows third-party developers to encrypt individual applications, it does not allow those developers to build tools that encrypt the whole device.

Kathryn Weldon, principal analyst with Current Analysis, isn't sure why Apple hasn't made full device encryption possible on the iPhone.

"But, in general, Apple is still concentrating on the consumer business and will eventually update the SDK to accommodate more serious enterprise adoption," she said.

In the meantime, Apple continues to advertise to consumers with the message that the iPhone is just right for use on the job.

[Apple] had better open up the SDK for full device encryption if they want to be taken seriously as a business device. It's not optional. Jack Gold President, J. Gold Associates

"That's the problem I have with Apple," said Jack Gold, president of consultancy J. Gold Associates. "Apple thinks that if I have ActiveSync and can sync with Exchange, I'm done. And yes, that's a small part of the problem. Very few users can get by without having connectivity to email. But beyond that, it's security and access."

Repeated messages left with Apple requesting comments for this story went unanswered.

There are various reasons why Apple might be slow to enable full device encryption on the iPhone, Gold said. Since it is focused on the consumer market, Apple probably doesn't see encryption as necessary. Encryption can also be a power-hungry application that can zap a battery, he said -- something of special concern to iPhone users who can't swap in a backup battery in the middle of the day.

Then there is the lack of centralized security management tools for the iPhone. Without such tools, IT organizations have no way of enforcing encryption policies anyway.

Regardless, many enterprises just can't turn a blind eye to the lack of encryption. And it's not just financial institutions. Gold said that any organization subject to regulations of any kind will need encryption and other robust secure management features.

"It's a big deal, especially in regulated industries like banking," Gold said. "And it has to be enforceable. The IT guy needs to be able to say: 'You can't get around [an encryption policy]. You have to do it.' Today, [that] is impossible on the iPhone."

Encryption isn't perfect, according to Gold. There are ways around it for the determined hacker. "But I'd rather have it and force someone to hack me than not have it at all and give [sensitive data] away for free."

More on iPhone in the enterprise Contrasting iPhone vs. Android 3G iPhone pilot: CIO ready to dump his Windows Mobile smartphones iPhone secrity in the enterprise: Mitigating the risks

At Liquidnet, the majority of the company's 377 employees are equipped with mobile devices. Berg said the company encrypts those devices using Motorola Good Technology Group's GoodLink security platform, which enables his IT organization to configure security and encryption requirements centrally across multiple devices. It relies on the native encryption capabilities of the devices.

"In this day and age, that's how encryption should be," Berg said. "We should not have to add on a piece of third-party software. That should be something that's native to the device."

"I think it shows a disconnect between whoever was designing the software for the iPhone and the corporate market," he said. "We're seeing more and more Apple products in the enterprise. But they haven't yet made the commitment to make an enterprise phone or an enterprise desktop. It's a shame."

Many enterprises are looking for encryption in the iPhone, Berg said, but until Apple delivers it, he'll continue to say no to the iPhone in his company. "I'm not the most popular guy at my company right now for saying, 'No, you can't use it.' "

"[Apple] had better open up the SDK for full device encryption if they want to be taken seriously as a business device," Gold said. "It's not optional. I could never see a large enterprise that's security conscious deploying this device. It's just too risky."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Tags: iPhone,  Mobile Authentication and Encryption,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iPhone Enterprise iPhone adoption: Easing the iPhone into the enterprise Untethering the smartphone with an enterprise application store Sybase offers enterprise-ready iPhone solution on the App Store iPhone hacking: Lessons from the front line As iPhone passes BlackBerry market share, RIM prepares to counterpunch BlackBerry Storm: A potential iPhone killer in the enterprise Apple's App Store released earlier than anticipated Contrasting iPhone vs. Android 3G iPhone pilot: CIO ready to dump his Windows Mobile smartphones Six simple steps to killing the iPhone Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile management: Advice for mobile managers Mobile Authentication and Encryption Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary