Can the world’s preeminent consumer electronics company offer ease of use for a proliferation of apps and mobile wallets while offering enterprise-grade security – all on the same mobile device?

That’s the question hanging over Apple in the wake of an embarrassing breach of its iCloud service that saw celebrity photos leak on the eve of an important event: the much ballyhooed release of iPhone 6 and iOS 8. The new phone models and OS upgrade provide powerful new encryption capabilities to frustrate hackers while the newly announced Apple Pay promises in-person transactions without exposing customer’s credit-card information to fraudsters.

Apple blamed the iCloud breach on weak user passwords – a “very lame claim,” says Juanita Koilpillai (left), CEO of Waverley Labs, a Virginia-based data security consulting group. “Of course it was their problem,” she says. “Regardless of the password, all data at rest should be encrypted so that only the device accessing it can decrypt the photographs. Why not have the most stringent security settings out of the box?” 

In the wake of the photo breach, Apple placed limits on iCloud login attempts and now notifies users of any changes to their account. Yet, according to a range of data security industry figures, Apple’s security challenge isn’t its technology. “Apple devices are already, without question, the most secure on the market,” says Rich Mogull, analyst and CEO at the Phoenix-based research firm Securoris. 

Rather, the underlying problem is the inherent difficulty of safeguarding enterprise or government data on mobile devices that individual users control, if not own, says Andrew Plato, CEO of Anitian, an Oregon-based data security firm. “It’s pretty difficult to get stuff off of – and inject malware onto – an Apple platform,” he says. “And that keeps them in high regard among security people.” The problem, he adds, is that security pros have little choice but to trust the claims of Apple’s engineers. “Apple’s biggest problem from a security standpoint is the ‘I don’t know what I don’t know’ problem. We don’t know what they do.”

OUR EXPERTS

  • Kayvan Alikhani, senior director of technology, RSA
  • Kim Ellery, product marketing manager, Absolute Software 
  • Tanuj Gulati, CTO, Securonix 
  • John Gunn, VP of corporate communications, VASCO Data Security
  • Juanita Koilpillai, CEO, Waverley Labs 
  • Avivah Litan, VP and distinguished analyst, Gartner 
  • Rich Mogull, analyst/CEO, Securoris 
  • Richard Moulds, VP for product strategy, Thales eSecurity 
  • Suni Munshani, CEO, Protegrity
  • John Pironti, consultant, ISACA; president, IP Architects 
  • Andrew Plato, CEO, Anitian 
  • Michael Sutton, VP of security research, Zscaler 
  • Randy Vanderhoof, executive director, Smart Card Alliance

Apple, at least in general terms, has set out its approach to the security of its iPhone 6 and iOS 8. It includes, among other elements, system security with secure boot chain with cryptographically signed components; Secure Enclave, a coprocessor fabricated in Apple’s A7 processor (and later versions) that provides all cryptographic operations for data protection key management; Touch ID, the fingerprint-reader that allows quick user access when complex passcodes are in place; a dedicated AES 256 crypto engine between flash storage and main memory for file encryption; unique IDs cryptographically tied to the device; and data protection for flash memory. The protection for its apps begins with strict iOS developer program to ensure that each app is signed and verified. All iOS apps are “sandboxed” – that is, blocked from accessing data used by other apps and prevented from modifying the device. 

The “sandbox” strategy may boost iOS security, but it’s a constraint for developers of corporate apps that need to communicate with one another, says, Kayvan Alikhani (right), senior director of technology at RSA. “The actual security model for the app itself – if it doesn’t need to talk to anybody – has been greatly improved and strengthened tremendously,” he says. But in the enterprise world, where centralized monitoring of mobile devices is often considered essential for security, “sandboxing” creates limitations. “There is no [enterprise] application that can understand what’s running on your phone, or stop an app,” he says.

Richard Moulds, vice president for product strategy at Thales eSecurity, a global provider of data protection solutions with U.S. headquarters in Plantation, Fla., speculates that Apple could open the way for more secure iOS enterprise apps by allowing third parties greater access to the iPhone 6, but adds that such a move could create new problems. “Developers are desperate to take advantage of the security properties of the latest iPhone, but if in doing so the basic security properties of the phone are weakened, there might only be a limited net benefit to the enterprise,” he says.

For now, Apple supports a range of mobile device management (MDM) services directly and through third-party developers that enable IT managers and security pros to enroll devices and track unauthorized usage and apps while offering privacy protections to users – capabilities that should avoid the kind of debacle seen in the Los Angeles Unified School District in 2013, when students simply removed MDM profiles on their district-owned iPads to be able to surf the web and download unauthorized apps. 

Yet, even with improved MDM from Apple and third-party providers, there’s an inherent difficulty in securing devices that are owned or controlled by employees who must also use them for applications handling sensitive enterprise data, says John Pironti, a consultant for ISACA and president of IP Architects, a management and technical consulting services firm. “Instead of trying to surround them with so many controls and capabilities, what we have do is find a way to say ‘yes,’” he says, adding that rather than take an all-or-nothing approach, IT managers and data security professionals should move forward on the basis of a threat and vulnerability analysis.

For example, those responsible for enterprise MDM can build on Apple’s technology as well as third-party solutions to assess risk from mobile devices through biometric authentication systems, like Touch ID, as well as geofencing, says John Gunn, vice president of corporate communications for VASCO Data Security, a Chicago-based company specializing in authentication. “It isn’t ‘yes’ or ‘no,’” he says. “You come in to the network with a risk score.”

Enterprise choice?

In fact, Apple’s latest iPhone and iOS increasingly provide the tools to support such an approach, according to Michael Sutton, vice president of security research of Zscaler, a San Jose, Calif.-based secure cloud provider. “Apple has an opportunity to be the platform of choice for enterprises wishing to made standard security policies for BYOD devices,” he says.

But, being the preferred platform in large companies and government isn’t the same as being the only one, as those responsible for MDM and security in BYOD environments will still have to grapple with multiple technologies, contends Kim Ellery, product marketing manager at Absolute Software, a Vancouver, Canada-based company focused on endpoint security for mobile computing. “The very trend that brought Apple to the enterprise continues to feed the ecosystem with different device types of operating systems,” he says. 

Such flux and uncertainty created by BYOD has led one company, Securonix, to conclude that centralized ownership and control of enterprise iOS devices is essential. “For now, the key strategy to support iOS devices is to ensure that organizations own the devices and all content of these devices including all the apps installed on the devices,” says Tanuj Gulati, chief technology officer for the Los Angeles-based provider of security intelligence solutions. 

While the infosec industry and enterprise IT managers debate how to deploy the iPhone 6’s cryptographic upgrades and the iOS 8’s security advances, leading retailers, banks and credit card companies are embracing Apple Pay, an iPhone mobile wallet that combines near-field communications (NFC) technology with data tokenization that replaces credit card information with tokens that are useless to hackers. 

“What we have do is find a way to say ‘yes.'”

– John Pironti, president, IP Architects

While promoted by Apple CEO Tim Cook as a way to make consumer purchases easier, Apple Pay may be more attractive to retailers like Target, Home Depot and others that have been hammered by massive breaches of credit card data over the past few years. That’s owing to the advances brought to the market by the system’s use of tokens, which promisesd to greatly reduce the risk of having credit card data pilfered through malware attacks at point-of-sale terminals. 

“That by itself was a major step forward for mobile payments security,” says Randy Vanderhoof, executive director of the Smart Card Alliance, a nonprofit industry association. By keeping security in the iPhone, using tokens and using Touch ID for purchases, Apple Pay has “three levels of authentication versus everyone else dealing with one or two,” he says.

Apple Pay also gives a fillip to industry players who’ve been advocating for years that tokenization is the best way to protect consumer information. “What Apple is validating is a fundamental thesis that the idea of credit card data and other personally identifiable information being handed over [at the point of sale] is careless and frivolous and needs to stop,” says Suni Munshani, CEO of Protegrity, the Connecticut-based developer of tokenization and encryption solutions. With EMV-technology credit cards embedded with microchips set to roll out over the next few years, merchants already obliged to upgrade point-of-sale terminals are likely to deploy tokenization in any case. The EMV rollout and the launch of Apple Pay will be “hugely complementary,” Munshani says.

Another plus for Apple Pay is that it reduces the scope of compliance to the Payment Card Industry-Data Security Standard (PCI DSS) – a payment card standard created by industry players, says Avivah Litan (left), VP and distinguished analyst at Gartner. Because credit card data will be tokenized, many of the requirements of PCI will be moot.

Moreover, Apple Pay will be a boon to the credit card companies MasterCard and Visa, which apparently convinced Apple to implement precisely the same type of tokenization technology that will be used in the EMV cards, Litan said. Thus the new terminals built to read EMV cards will have NFC capabilities that will allows users to pay with an iPhone instead.

The two credit card giants are trying to keep their virtual monopoly on the payment network, Litan says. “Apple needed a mobile payment story,” she says. “The company thought it needed the banks on its side. It was a smart move on Apple’s part. It was probably the best move they could make.”