Educause Security Discussion mailing list archives
Re: Smartphone Policies.
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Fri, 15 May 2009 13:12:27 -0700
I would be cautious about completely relying on the remote wipe capabilities of the iPhone. I have not tried any of this myself, but the claims of this book and the associated workshop scare me quite a bit (and O'Reilly is a name I trust): http://oreilly.com/catalog/9780596153588/ http://www.zdziarski.com/forensics_workshop/ In particular, here are a few of the things this book/workshop will teach you how to do: "Interrupt iPhone 3G's "secure wipe" process" "Recover deleted voicemail, images, email, and other personal data, using data carving techniques" "(Recover) Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication. " and more... While a remote wipe capability is a nice feature that should be used when possible, it does not come close to affording the same level of protection as disk-based encryption using strong passwords. As a result, I would be wary of protecting data classified as highly confidential solely with the iPhone's remote-wipe capabilities. Chris Green wrote:
I believe that the Harvard Medical Center supports the iPhone very well (per http://geekdoctor.blogspot.com/. The full exchange client on the iPhone can be an advantage. Since the iPhone supports active sync, on Exchange 2007 the active sync “reset your phone” switch becomes an OWA accessible feature. Lock your phone and if you lose it, go remotely wipe it yourself. That’s a pretty sexy sales pitch to a clinician and it covers the lost device component. Smartphones are in our sights as something we have to manage (and the AT&T isn’t our winning bidder) but it does seem to give a reasonable way to address some of the risks of the technology. Change from saying no to saying “here’s the way to make it work and here’s the secret button to remember when you leave it in a cab”. It also helps address the “work versus personal” phone thing because people do find ways to make their job doable or more productive. Same line of thinking for BlackBerry but use the BES rather than the desktop connector so some of the risks can be managed. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Connie Sadler Sent: Thursday, May 14, 2009 12:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Smartphone Policies. We are developing a Smartphone policy. But I'll tell you, the iPhones are scary - we cannot technically do anything (that I am aware of) to stop people from connecting and syncing up their mail. In fact, there is an app for the full Exchange client now. There are also a lot of other apps that are being pulled down to personally-owned iPhones that are connected to our network. I have to say, I work in an academic medical center, so it's very difficult to tell clinicians what they can and cannot do with their personal devices on our network (trust me - it's not easy). There are some new products working to address this risk. With more employees taking their iPhones to work, IT departments are scrambling to figure out a way to manage them. The iPhone, unlike the BlackBerry, started out as a consumer device and still lacks some management and security features that corporations have come to expect from other mobile devices. Now, a number of software companies including Good Technology<http://www.good.com/corp/index.php>, Sybase<http://www.sybase.com/> and Tangoe<http://www.tangoe.com/> are stepping in to fill that void. Is anyone looking at these solutions?? http://www.good.com/corp/int_products.php?id=good_mobile_control_iphone&pid=good_for_enterprise http://www.sybase.com/ianywhere http://www.tangoe.com/managed-services/mobile-services/mobile-device-management.html We're also quickly moving to a more "blended" work/life environment - and people (like it or not) are going to expect to be able to get to personal data from work and they want to use personal devices for both - we're going to have to find ways to enable it. -- Connie Connie Sadler CISO, LPCH at Stanford
-- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis
Current thread:
- Re: Smartphone Policies., (continued)
- Re: Smartphone Policies. Plesco, Todd (Apr 27)
- Re: Smartphone Policies. Tupker, Mike (Apr 27)
- Re: Smartphone Policies. Leon DuPree (Apr 27)
- Re: Smartphone Policies. Maloney, Michael (Apr 27)
- Re: Smartphone Policies. Cal Frye (Apr 27)
- Re: Smartphone Policies. Cal Frye (Apr 27)
- Re: Smartphone Policies. Adam Stone (Apr 27)
- Re: Smartphone Policies. Caroline Couture (Apr 27)
- Re: Smartphone Policies. Connie Sadler (May 14)
- Re: Smartphone Policies. Chris Green (May 14)
- Re: Smartphone Policies. Adam Carlson (May 15)