Can the world's preeminent consumer electronics company offer ease of use for a proliferation of apps and mobile wallets while offering enterprise-grade security – all on the same mobile device?
That's the question hanging over Apple in the wake of an embarrassing breach of its iCloud service that saw celebrity photos leak on the eve of an important event: the much ballyhooed release of iPhone 6 and iOS 8. The new phone models and OS upgrade provide powerful new encryption capabilities to frustrate hackers while the newly announced Apple Pay promises in-person transactions without exposing customer's credit-card information to fraudsters.
Apple blamed the iCloud breach on weak user passwords – a “very lame claim,” says Juanita Koilpillai (left), CEO of Waverley Labs, a Virginia-based data security consulting group. “Of course it was their problem,” she says. “Regardless of the password, all data at rest should be encrypted so that only the device accessing it can decrypt the photographs. Why not have the most stringent security settings out of the box?”
In the wake of the photo breach, Apple placed limits on iCloud login attempts and now notifies users of any changes to their account. Yet, according to a range of data security industry figures, Apple's security challenge isn't its technology. “Apple devices are already, without question, the most secure on the market,” says Rich Mogull, analyst and CEO at the Phoenix-based research firm Securoris.
Rather, the underlying problem is the inherent difficulty of safeguarding enterprise or government data on mobile devices that individual users control, if not own, says Andrew Plato, CEO of Anitian, an Oregon-based data security firm. “It's pretty difficult to get stuff off of – and inject malware onto – an Apple platform,” he says. “And that keeps them in high regard among security people.” The problem, he adds, is that security pros have little choice but to trust the claims of Apple's engineers. “Apple's biggest problem from a security standpoint is the ‘I don't know what I don't know' problem. We don't know what they do.”
Apple, at least in general terms, has set out its approach to the security of its iPhone 6 and iOS 8. It includes, among other elements, system security with secure boot chain with cryptographically signed components; Secure Enclave, a coprocessor fabricated in Apple's A7 processor (and later versions) that provides all cryptographic operations for data protection key management; Touch ID, the fingerprint-reader that allows quick user access when complex passcodes are in place; a dedicated AES 256 crypto engine between flash storage and main memory for file encryption; unique IDs cryptographically tied to the device; and data protection for flash memory. The protection for its apps begins with strict iOS developer program to ensure that each app is signed and verified. All iOS apps are “sandboxed” – that is, blocked from accessing data used by other apps and prevented from modifying the device.
The “sandbox” strategy may boost iOS security, but it's a constraint for developers of corporate apps that need to communicate with one another, says, Kayvan Alikhani (right), senior director of technology at RSA. “The actual security model for the app itself – if it doesn't need to talk to anybody – has been greatly improved and strengthened tremendously,” he says. But in the enterprise world, where centralized monitoring of mobile devices is often considered essential for security, “sandboxing” creates limitations. “There is no [enterprise] application that can understand what's running on your phone, or stop an app,” he says.
Richard Moulds, vice president for product strategy at Thales eSecurity, a global provider of data protection solutions with U.S. headquarters in Plantation, Fla., speculates that Apple could open the way for more secure iOS enterprise apps by allowing third parties greater access to the iPhone 6, but adds that such a move could create new problems. “Developers are desperate to take advantage of the security properties of the latest iPhone, but if in doing so the basic security properties of the phone are weakened, there might only be a limited net benefit to the enterprise,” he says.
For now, Apple supports a range of mobile device management (MDM) services directly and through third-party developers that enable IT managers and security pros to enroll devices and track unauthorized usage and apps while offering privacy protections to users – capabilities that should avoid the kind of debacle seen in the Los Angeles Unified School District in 2013, when students simply removed MDM profiles on their district-owned iPads to be able to surf the web and download unauthorized apps.
Yet, even with improved MDM from Apple and third-party providers, there's an inherent difficulty in securing devices that are owned or controlled by employees who must also use them for applications handling sensitive enterprise data, says John Pironti, a consultant for ISACA and president of IP Architects, a management and technical consulting services firm. “Instead of trying to surround them with so many controls and capabilities, what we have do is find a way to say ‘yes,'” he says, adding that rather than take an all-or-nothing approach, IT managers and data security professionals should move forward on the basis of a threat and vulnerability analysis.
For example, those responsible for enterprise MDM can build on Apple's technology as well as third-party solutions to assess risk from mobile devices through biometric authentication systems, like Touch ID, as well as geofencing, says John Gunn, vice president of corporate communications for VASCO Data Security, a Chicago-based company specializing in authentication. “It isn't ‘yes' or ‘no,'” he says. “You come in to the network with a risk score.”