Security Basics mailing list archives
Re: iTunes for iPhone in an Enterprise
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 02 Dec 2010 12:22:40 -0600
Francois Lachance <digitallachance () gmail com> writes:
So nobody sees an issue with the number of security related bugs in iOS, or the fact that at one time you could be jailbroken just by browsing a web site,
Yes, there are risks and there have been vulnerabilities. But, that's just like every other OS that IT inherits support of in an enterprise environment. :-)
or by the fact that you have no way to control what apps your users can install? At least with a BlackBerry BES I can control any aspect of the devices centrally. I don't think that's possible on the iPhone, at least not without a third-party add-on.
Yes, best I can tell, someone wanting to manage this to best practice should absolutely consider third party add-on's mandatory infrastructure for an iphone deployment. But... you'll also need to acknowledge that if you try to admin iphones the same way Blackberry's are typically administered, the user experience is going to be miserable, and much of the point of the smartphone proposition will be lost. Is it a less secure and less controlled model in which iphone/android have to live to be most useful? Absolutely. It comes down to whether the benefits are deemed as justifying the risks they pose. The risks seem manageable given what else is out there. After all, how many people don't blink an eye deploying Windows images with Adobe flash on them (and correspondingly don't do a great job of keeping Flash updated on those corporate endpoints). In a perfect world would we make everyone run lynx to browse the web, using hardened openbsd on the desktop, abolish web plugins entirely, and run around patting ourselves on the back and claiming victory for security? Sure. But would users ever get anything done or enjoy working with the tools they're given? Or would they even be supportable with sufficiently trained staff? Probably not.
It seems like every update released by Apple for the iPhone contained at least one security vulnerability fix. Not so for the BlackBerries. There has been a few vulnerabilities on the BES (all related to the PDF rendering), and all that was required was to upgrade one server, not every devices. I am not saying that there are no bugs in BlackBerry devices, but so far, none that have had a security implication. Am I being paranoid here? Please someone set me straight if I'm wrong here.
I'd say it's entirely normal and healthy for a security person to want to vomit at the prospect of adding iPhones to their world if they are used to Blackberry's very tight and granular controls. I'd also agree that it's normal to wish that Apple would have this solution fully baked with single vendor tools that they support. But none of that will do much to stem the tide of IT being asked from all sides when they can ditch their ugly and slow blackberries for a touch screen device that doesn't crash, renders normal web pages acceptably, can take a photo, has an App store of a decent size/selection, etc... So the question then becomes "okay, we have to support this cruft--how can we manage the risks?" And, it seems they're as manageable as other risks IT has to deal with day to day. After all, infosec has to stop being the department of "No" and become better at managing/mitigatign the risks of technologies that make employees more productive. "Angry Birds" notwishstanding. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: iTunes for iPhone in an Enterprise Todd Haverkos (Dec 02)