Apple iPhone, iPad in Enterprise Needs Security Policies: Forrester

Apple has enjoyed increased enterprise adoption of the iPhone and iPad—but a new Forrester Research report makes it clear that, if companies are to accept the devices into their fold, certain security policies need to be implemented first.

The Aug. 2 report authored by Forrester analyst Andrew Jaquith suggests that, while Apple has instituted more stringent security for its devices, enterprises need to be proactive about instituting policies of their own for the iPad and iPhone.

Those seven security policies include:

• Requiring e-mail session encryption

• Wiping the contents of lost or stolen devices

• Protecting devices with a passcode lock

• Autolocking devices after a period of inactivity

• Autowiping devices after failed unlock attempts

• Continually refreshing policies

• Protecting the configuration profile

“These seven Apple mobile device policies satisfy the basic security needs of most enterprises,” Jaquith wrote. Enterprises should consider instituting provisions to acceptable-use policies, he added, including the requirement that employees back up their devices using iTunes.

Certain enterprises, such as health care, demand more stringent security policies. For those companies, Jaquith recommends additional configuration profile settings: seven-character alphanumeric passcodes for stronger protection, hardware encryption with an AES-256 symmetric key, certificate-based authentication, and the application encryption supported by iOS4.   

Those more-stringent requirements would also demand new policy provisions, including a company right to emergency device confiscation, and a requirement that users scrub their address books of sensitive information such as social security numbers.

At the top level of stringency, an enterprise can institute policies for Apple devices that include blocking use of the iPhone camera, prohibiting access to the App Store, turning off the screen-capture feature, and preventing use of the browser. However, Forrester apparently “regards these policy options as excessive for personally owned devices, as we recommend that you implement these policies only sparingly.”

Even with Apple’s more robust security measures, the report suggests that the iPhone and iPad “still lack some key security and management refinements that enterprises require.” These include the iPhone’s inability to automate installation tasks, even as it generates configuration profiles; a lack of mature enterprise device management tools and support for smart-card authentication; no compliance with FIPS 140-2; and zero capability for logging and archiving SMS messages.

In addition, the iPhone and iPad lacks support for client e-mail end-to-end encryption, fine grained application control, and the native ability to compartmentalize work and business environments on the device.  

“While most enterprises can use Apple mobile devices securely, some require higher levels of authentication assurance, resistance to attack, manageability, and logging that the iPad or iPhone can provide,” Jaquith wrote. “For these customers, Research In Motion’s BlackBerry still rules the roost.”