Should You Ban the iPhone?

When David O’Berry, IT director for the South Carolina Department of Probation, Parole and Pardon Services, was quoted in a Wall Street Journal story titled “Why IT Hates the iPhone,” he was inundated with complaints from Apple fans.

“After that quote, I had to defend myself in multiple blogs. I didn’t say anything about hating the iPhone,” O’Berry said. “Personally, I think the iPhone is a great device. My point was that users need to be cognizant of the dangers posed by certain devices in certain situations.”

O’Berry noted that while Apple has addressed many of the security flaws of the iPhone, a glaring problem remains: lack of encryption on the device. “Until you encrypt that device, it is a walking time bomb from IT’s point of view,” he said.

Unless data is encrypted at the device level, users can copy sensitive information from work, take it home with them, lose the device or have it stolen and expose confidential organizational information to whomever has the device in hand. In other words, without encryption, the iPhone, or any other device like it, can’t be considered enterprise-class.

Smart Phones Invading

Make no mistake about it, though, iPhones and other smart phones are invading the office, and IT is ill prepared. According to Infonetics Research, single mode WiFi phone sales jumped 60% in 2007, and WiFi enabled smart phones (like the iPhone) should experience an even higher growth rate this year. Meanwhile, the SANS Institute listed mobile threats against iPhones and Android phones as the fourth most serious security threat for 2008.

With those numbers in mind, CIOs should be thinking about smart phone and VoWLAN strategies. As with many previous technologies, such as email and WiFi, smart phones will invade the enterprise through the back door. Users who value them will use them and if that means sneaking behind the back of IT, so be it.

The easiest way for an organization to control any device is to own it. Buy it for the employee, or at the very least subsidize a portion of the monthly bill, and you can exercise control. Pretend it doesn’t exist, and there’s no way you can demand that phones be encrypted or have, say, two-factor authentication in place.

“The trouble with paying only a portion of the bill is that you have to recoup costs for personal calls and the like,” O’Berry said. “It can become a real accounting headache.” His department has already purchased smart phones and tablet PCs for its staff, and they control the devices at the network’s edge. The second easiest solution, of course, is to simply ban iPhones and other smart phones from the corporate network. But does that really solve the problem, though? Does it even work?

Users can switch to mass storage mode and plug the devices into PCs via USB. Then, when they switch them back into phone mode, dual-mode smart phones will allow them to easily jump to a cellular link (or a neighboring, unsecured WiFi link), and you won’t even be aware of, let alone in control of, a serious security risk.

A better approach is to put controls and policies in place. Many NAC solutions can do compliance checks on any device connecting to the network. If a device doesn’t encrypt data, it won’t be allowed to download anything – or even connect to anything beyond a remediation page. NAC and many other security suites are also offering USB controls, which allow IT to shut down USB ports altogether or set security policies for their use.

Meanwhile, data loss prevention (DLP) solutions classify sensitive types of data and wrap policies around it. In other words, you won’t be copying, downloading or emailing confidential IP if DLP is in place, and if you do download anything, an audit trail is logged.

“Any easy way to accommodate iPhones and smart phones is to extend guest networks,” said Chris Roeckl, VP of marketing for AirMagnet, a provider of WLAN assurance tools. If iPhones are herded onto guest networks only, users won’t be able to access to confidential data, but they’ll still have Internet access. There’s still the problem of users forwarding information to themselves over email, but that’s an email security issue, not a smart phone one. However, if you go the route of restricting iPhones to guest networks, you’ll have to have wireless detection and monitoring tools in place that locate those devices and enforce policies on them.

A bigger problem, though, is the same one that plagues all new technologies. New technologies boost productivity. Throttling back on that productivity may in the end be more costly than figuring out how to address risks in ways that don’t impede users.