March 5th, 2008
iPhone insecurity leaves sour taste for enterprise IT
In its invitation to the media for Thursday’s iPhone Software Roadmap, Apple hints strongly that it’s working to get the iPhone into the enterprise. In addition to information about the iPhone SDK, Apple promises “some exciting new enterprise features.” The event graphic shows “Enterprise” as a major stop on the SDK highway.
iLounge, which is carrying “confirmed” rumors of the details, says the enterprise features are pretty much limited to announcing iPhone support for Microsoft Exchange and Lotus Notes.
But not being able to use Exchange on your iPhone is not what enterprise reluctance is all about. It’s about security. All that jailbreaking, buffer overflows, hardware hacks, and revelations about weak architecture, and proof-of-concept exploits galore leaves a sour taste in IT mouths, Andrew Storms, director of IT security at nCircle Network Security, told me.
This release of the SDK probably won’t do much to regain
the love of many enterprise IT and security departments. All the attention
drawn to the security of the iPhone in the last 9 months has driven too much
bad disclosure resulting in lowered trust among IT security groups. In the
world of IT security, once trust is diminished, its a steep narrow mountain
to climb in order to regain that dependability.
What about the fact that Apple will apparently server as gatekeeper, only allowing apps it approves of to be distributed through the iTunes Store? Rather than building confidence, Andrew said:
Enterprise IT sees this policy as an indicator of lacking good technical security controls on the iPhone. As has it been all throughout the iPhone jailbreak saga, Apple cannot play the demigod of creativity and coolness while enforcing these seemingly unfounded strict controls.
And speaking of Apple’s Good iPhoning Seal of Approval, does anyone think there won’t still be a vibrant “gray market” in unapproved apps? I asked my friend Damien Stolarz about that:
I’m pretty certain jailbreaking will be popular for the forseeable future. The SDK is better than nothing but a lack of over-the-air purchase/install will leave installer.app in business until Apple lets you buy on the phone.
In any case, the SDK will drive more enterprise apps and integration, which will only make things worse, Andrew said.
This will just continue to widen the chasm between
the company executive and the IT security personnel. Instead of playing to
the peril of allowing feature-functionality to outpace security, Apple needs
to first retrace its steps and spend some face-to-face time with enterprise
security teams in order to regain their trust.
When I talked to Andrew about this stuff last fall, when iPhone security holes were all over the headlines, he said this is what Apple needs to do: Provide centralized tools for managing configuration and compliance.
Until then it will continue to be shunned by enterprises. No matter how useful or ingenious the device may be, the enterprise simply cannot consume another device where private data could be leaked.”
