Top Ten Ways to Ensure Security with Your iPad

Clearpath’s clients include IT departments, C-level executives and small business owners.  Many of them have deployed tablets, most often Apple’s iPad, as the result of a user population that is clamoring for the device and its form factor and innovative interface.  Often my clients will ask me, “How should I go about managing the security risks that the iPad or iPhone add to our corporate security?”  Since we at Clearpath host a number of our customers’ critical application infrastructures, including email, virtual desktop and proprietary applications, we have a good deal of experience helping our customers do just this.  We deploy several applications in our cloud infrastructure that help to control the Apple iOS devices that our clients use.  Many of our clients don’t have these capabilities, so I’ve put together a list of things that can be done which will ensure that you are protecting data as well as possible in small deployments.

It’s important to note that on non-jail broken iPads and iPhones, there are no known viruses in the wild.  This inherently means that security of data on the device should be paramount concern with this technology.

My top ten list of things you can do to protect your infrastructure and critical data with iPad.

1. Subscribe to MobileMe. While $99 per year might seem to be a lot of money, the ability to sync, and initiate a remote wipe of the device is invaluable.  You can also use the MobileMe service to move sensitive data from the iPad locally to iDisk, which will reduce the exposure of data if the device is lost or stolen.  Lastly, MobileMe can help you find the device when you lose it, by displaying the information on a map.

2. Restrict access to App Installation. The iPad provides the ability for administrators to restrict the installation of applications using a passcode.  This will prevent users from installing applications which may have security vulnerabilities that can expose sensitive data.

3. Enable automatic data erasure. The iPad can be configured to automatically erase data after 10 failed passcode unlock attempts.  This should be a mandatory setting for any administrator deploying an iPad to a user.

4. Use a VPN to provide connectivity.  If VPN connectivity is required for the iPad to communicate with corporate services such as virtual desktop, email or other applications, then you can be assured that the data isn’t being intercepted by a third party.

5. Install regular software updates. Apple regularly updates iOS to keep up with the latest detected vulnerabilities.  To do this, it’s necessary to connect the system to a computer regularly.  If you don’t connect the device on a regular basis, there’s a possibility that the system will miss a critical update and be exposed to a security risk that has already been fixed by Apple.  For long term use of the iPad in corporate environments, IT should implement a structured update process. (Note: this will be a tedious one until such time as Apple releases corporate tools to manage the iPad).

6. Leverage a Virtual Desktop. Using a Virtual Desktop to secure access to corporate resources is a fantastically easy means to ensure that no sensitive data is stored on the device, and that a user must authenticate to gain access to any sensitive data, at any time.

7. Backup the iPad regularly. In the event of data loss, or infection, the backup can be used to both identify the data that was on the device, as well as to restore a new or damaged iPad back to its original state.

8. Don’t allow your users to Jailbreak the iPad/iPhone.  All known virus infections on iPad and iPhone are tied to instances where the devices have been jailbroken.  Do not allow jailbroken devices on the corporate network, or to access corporate services.  Period.

   • What is Jailbreaking?  - iOS jailbreaking, or simply jailbreaking, is the process of removing the limitations imposed by Apple on devices running the iOS operating system through use of custom kernels. Such devices include the iPhone, iPod Touch, iPad, and 2nd Gen Apple TV. Jailbreaking allows users to gain full access (or root access) to the operating system, allowing iOS users to download additional applications, extensions, and themes that are unavailable through the official Apple App Store, via installers such as Cydia. A jailbroken iPhone, iPod Touch, or iPad running iOS can still use the App Store, iTunes, and other normal functions, such as making telephone calls. Unlike rooting an Android device, jailbreaking is necessary if the user intends to run software not authorized by Apple.

9. Don’t lose the device. The number one risk to sensitive data is that someone will find or steal your device – exposing the contents of the device to an unknown party.

10. Install VirusBarrier. VirusBarrier from Intego is a pre-plug anti-malware defense that will scan files for known exploits before connection to a computer allows the malware to spread to a PC or the corporate network

We’re also looking to tools like VMware’s Horizon Mobile Application Manager which will enable a secure Hypervisor on the device to be managed by IT, effectively providing a sandbox that IT can control, without requiring the user to give up the freedoms afforded in the device itself.  Stay tuned for more information on that.