Apple iPhone 3.0: Not Answering the Call of Enterprise Security

Apple’s recent introduction of the iPhone OS 3—an update to the Apple iPhone operating system—created hope among Apple fans that the enormously popular consumer device might be a better fit for the enterprise as well.
 
Security is the foremost issue separating the iPhone from Research In Motion’s BlackBerry lineup or Palm's Treo and upcoming Pre smartphones, which CIOs and IT managers have shown greater comfort deploying, due to included data controls and authentication features.
 
Ben Halpert is a CISSP (Certified Information Systems Security Professional) security researcher, writer and lecturer, who offered a sobering perspective for the hopeful.
 

Resource Library:

“If you talk to enough iPhone owners—who are potential enterprise users—you’ll find that the iPhone user base has built up an unrealistic expectation that Apple will come to their rescue and enable the iPhone for enterprise use on a grand scale,” said Halpert.
 
Instead, Halpert says, “Apple seems to be throwing a few breadcrumbs for the enterprise market, to keep them interested, but not enough to enable a full-scale deployment.”
 
Halpert points to the addition of a P2P connectivity feature, which enables iPhone users within Bluetooth range to view one another’s music and video lists and stream selections to their own devices.
 
Music lovers may be delighted by this feature—which is in keeping with the sensibilities of youthfulness, openness and hyper social networking the iPhone embodies. But it’s in stark contrast to the BlackBerry approach to Bluetooth, which is to create security profiles that specify how applications on BlackBerry devices can interact with Bluetooth-enabled devices.

“I’m interested to see what the first app is that contains a malicious component to exploit this new feature,” said Halpert, who added that he’s a realist.
 
“If you make a criminal’s job easier, they will thank you and build exploits that will fly under the radar,” Halpert said. “Individuals with malicious intent can be just as creative as the honest App Store developers.”
 
Apple sold 13.7 million iPhones in 2008, and wanting to include some of those owners in the enterprise fold, enterprise heavyweights SAP and Sybase recently announced a partnership that would extend SAP’s Business Suite 7 to the Apple iPhone, among other devices.
 
Is the CIO who agrees to SAP on an iPhone simply caving under the pressure from iPhone-toting employees?
 
Halpert said he proceeds cautiously.
 
“The CIO decision should be based on the benefit [the iPhone can offer] the business. Do the benefits outweigh the costs to the enterprise? This includes the risk management component,” Halpert said.
 
If an iPhone is deployed and the CIO doesn’t ensure the enterprise’s intellectual property is adequately protected, the consequences can be far-reaching.
 
Halpert said, “The CIO needs to ask him- or herself, ‘What amount of intellectual property loss is acceptable?’”