Re: Smartphone Policies.

[Adam Carlson <ajcarlson () BERKELEY EDU>]

I would be cautious about completely relying on the remote wipe
capabilities of the iPhone.  I have not tried any of this myself, but
the claims of this book and the associated workshop scare me quite a
bit (and O'Reilly is a name I trust):

http://oreilly.com/catalog/9780596153588/
http://www.zdziarski.com/forensics_workshop/

In particular, here are a few of the things this book/workshop will
teach you how to do:

"Interrupt iPhone 3G's "secure wipe" process"
"Recover deleted voicemail, images, email, and other personal data,
using data carving techniques"
"(Recover) Keyboard caches containing usernames, passwords, search
terms, and historical fragments of typed communication. "

and more...

While a remote wipe capability is a nice feature that should be used
when possible, it does not come close to affording the same level of
protection as disk-based encryption using strong passwords.  As a
result, I would be wary of protecting data classified as highly
confidential solely with the iPhone's remote-wipe capabilities.


Chris Green wrote:
> I believe that the Harvard Medical Center supports the iPhone very well (per  http://geekdoctor.blogspot.com/.  The 
> full exchange client on the iPhone can be an advantage.  Since the iPhone supports active sync, on Exchange 2007 the 
> active sync “reset your phone” switch becomes an OWA accessible feature.   Lock your phone and if you lose it, go 
> remotely wipe it yourself.
>
> That’s a pretty sexy sales pitch to a clinician and it covers the lost device component.  Smartphones are in our 
> sights as something we have to manage (and the AT&T isn’t our winning bidder) but it does seem to give a reasonable 
> way to address some of the risks of the technology.  Change from saying no to saying “here’s the way to make it work 
> and here’s the secret button to remember when you leave it in a cab”.    It also helps address the “work versus 
> personal” phone thing because people do find ways to make their job doable or more productive.
>
> Same line of thinking for BlackBerry but use the BES rather than the desktop connector so some of the risks can be 
> managed.
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Connie 
> Sadler
> Sent: Thursday, May 14, 2009 12:37 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Smartphone Policies.
>
>
> We are developing a Smartphone policy. But I'll tell you, the iPhones are scary - we cannot technically do anything 
> (that I am aware of) to stop people from connecting and syncing up their mail. In fact, there is an app for the full 
> Exchange client now. There are also a lot of other apps that are being pulled down to personally-owned iPhones that 
> are connected to our network. I have to say, I work in an academic medical center, so it's very difficult to tell 
> clinicians what they can and cannot do with their personal devices on our network (trust me - it's not easy).
>
> There are some new products working to address this risk. With more employees taking their iPhones to work, IT 
> departments are scrambling to figure out a way to manage them. The iPhone, unlike the BlackBerry, started out as a 
> consumer device and still lacks some management and security features that corporations have come to expect from 
> other mobile devices. Now, a number of software companies including Good 
> Technology<http://www.good.com/corp/index.php>, Sybase<http://www.sybase.com/> and Tangoe<http://www.tangoe.com/> are 
> stepping in to fill that void. Is anyone looking at these solutions??
>
> http://www.good.com/corp/int_products.php?id=good_mobile_control_iphone&pid=good_for_enterprise
>
> http://www.sybase.com/ianywhere
>
> http://www.tangoe.com/managed-services/mobile-services/mobile-device-management.html
>
> We're also quickly moving to a more "blended" work/life environment - and people (like it or not) are going to expect 
> to be able to get to personal data from work and they want to use personal devices for both - we're going to have to 
> find ways to enable it.
>
> --
> Connie
>
> Connie Sadler
> CISO, LPCH at Stanford

--
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis