Deployment of iPads Lessons from the Trenches

Jim Horwath March 2012

GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP

SANS Technology Institute - Candidate for Master of Science Degree

Objective

Overview of the iPad and the effect it will have on business Security risks of bringing a consumer oriented device such as an iPad into a corporate environment Security and lack of controls on an iPad - what you need to know Operational costs and headaches associated with deploying iPads to users The management nightmare of deploying iPad patching, securing, keeping users safe from themselves This is NOT an explanation concerning iPad forensics 2

SANS Technology Institute - Candidate for Master of Science Degree

The iPad Storm

Apples incredible sales numbers and market penetration Time magazine gave the iPad one of the 50 best inventions of 2010 Medical, legal, and sales staff were early adopters of iPads Apples App Store imposes censorship of content causing issues with books and magazines Closed system but still more applications available for iOS than Androids

No support for flash

SANS Technology Institute - Candidate for Master of Science Degree

Consumer Device Security an Afterthought

Penetration into Fortune 100 companies and other businesses made iPads THE status symbol
Executives see convenience, increased productivity, and freedom Status symbol cost - This addictive appeal has a cost to it device + monthly fees Default configuration has few security controls e.g. No password Consumers want ease especially younger users

Closed platform - not too much security information available

No anti-virus or malware controls

SANS Technology Institute - Candidate for Master of Science Degree

Policy Is Your Friend

Policy will become your best friend develop early and involve the right people
Acceptable Use Policy (AUP) Change Management

Device is meant for employee use only not spouse, children or relatives
Security Awareness Make users aware of common problems

Shoulder surfing gets worse with complex passcodes

SANS Technology Institute - Candidate for Master of Science Degree

Security Issues - Strengths

Hardware encryption uses AES 256-bit encryption

APIs with the ability to lock-down access Controlled environment with non-jailbroken devices Applications receive a sandbox and are separate from each other

API provides a method for device lock/unlock/password reset/wipe

Implementation and engineering guarded IP secret Cellular communications harder (but not impossible) to capture Need to test security controls very thoroughly and keep notes regarding the test results

SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree

Security Issues - Challenges

Limited number of configurable items There are items the user can change and there is no GPO-like facility to reinforce settings No logging or event log like facility Implementation and engineering guarded IP secret Bluecoat K9 to use as a WEB proxy but user can choose not to use it you have to use a 3rd party product to enforce it Companies lose control of data dropbox, Google docs, iCloud Alphanumeric credentials anywhere on the device echo characters as you type them No warning or acceptable banner, network connectivity is always on
8

SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree

Infrastructure Issues

Where do employees sync devices

Is your corporate infrastructure ready for iTunes (packaging, updates, etc.) If iPad users sync to corporate assets, is your storage and backup environment ready Is there a business requirement to access internal resources example Citrix for applications Can devices connect internally to wireless infrastructure how do you control it Data leaves daily with employees and their iPads

SANS Technology Institute - Candidate for Master of Science Degree

10

Operational Challenges

Keeping iOS current no mass distribution method iOS 5.0 does allow software updates outside of iTunes Apple provides a low-cost configuration utility iPhone Configuration Utility (ICU)

Mobile Device Management (MDM) software is young

Creation of a Gold Image is difficult iTunes and corporate acceptance Backing up devices onto personal employee assets who owns the data On corporate owned assets does your infrastructure allow for the additional overhead of iTunes and backups
11

SANS Technology Institute - Candidate for Master of Science Degree

More Operational Challenges

Blocking pop-ups -- users cannot change it blocking pop-ups can stop things like SANS OnDemand from working Very confusing with some terms: Auto-Lock and GracePeriod

How do you handle provisioning corporate vs. personal devices

What happens after employee separation, companies cannot verify License cost of software is unknown (productivity software for example) Decreases productivity for some workers
12

SANS Technology Institute - Candidate for Master of Science Degree

Hello Help Desk...

Users are scary Problems range from common to the bizarre Calling for device setup most common Documentation of common problems should be available to users Added cost to train help desk staff on iPad triage Younger help desk staff are better than older staff due to familiarity of the technology Mail stopped and I need it now the higher up the food chain the more demanding the user

SANS Technology Institute - Candidate for Master of Science Degree

13

Enterprise Management of iPads

Apple provides iPhone Configuration Utility (ICU) good for just a few devices and proof of concepts
Mobile Device Management (MDM) products are young and lack maturity Some examples: McAfee, Sybase, Good, AirWatch, BoxTone Microsoft Active Sync will allow any device with a valid user name and password to connect Lotus Notes requires granting access to Lotus traveler

How does this integrate into your authentication source LDAP/AD/Domino LDAP/Token
Do your homework!
14

SANS Technology Institute - Candidate for Master of Science Degree

Mobile Device Management (MDM) Software

Policy, awareness, education and AUP are critical Managing a fleet of iPads requires management software MDM market place is emerging and not mature Employees especially executives - quickly become addicted to an iPad, stability is a key issue Apples closed platform limits what vendors can do most vendors do the same thing Managed service versus in-house, versus hybrid Managing a fleet of iPads requires management software

SANS Technology Institute - Candidate for Master of Science Degree

15

MDM Lessons

Survey says e-mail and calendaring are the most important applications to an executive Be careful with demonstrations Negotiations - be prepared for push-back on policies from executive they want convenience and not necessarily security Field communications is critical leverage company communications and change management process Implement a test environment that is similar to production Be careful of firewall rules if using an in-house managed product Be very careful with destruction capabilities a mistake can be career ending
16

SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree

Summary

Mobile computing is here to stay learn it, embrace it, and control it the best you can Mobile computing can give your firm a competitive advantage

Develop policy based on business need and use cases

Continual user education and awareness will go a long way Invest in MDM software to manage devices Avoid being an early adopter

SANS Technology Institute - Candidate for Master of Science Degree

18