Don't deploy iPads in the enterprise without considering these security measures.
1. Encrypt, encrypt, encrypt. There are two parts to the data encryption challenge - encrypting stored data, and encrypting data that's moving over public networks, says security expert Brian Reed, vice president of products at mobile security vendor BoxTone. SSL encryption on the iPad is a fast and convenient way to protect data in motion. "With data at rest, you want to ensure that the data is encrypted and protected, but you also want to be able to remotely wipe it if possible," he adds.
2. Centralize management. Apple's iOS 4 allows iPads to be managed centrally. Companies can set security policies, lock down or wipe lost or stolen devices, and even create their own app catalogs, Reed says. Stories about how Apple devices don't play well with corporate IT departments date back a year, he adds. "What we're seeing now, and the reason why this is heating up, is that management capabilities are built into iOS," he says. "We're seeing the floodgates open to the iPad in the enterprise."
3. Isolate personal and company data. Since the iPad is a consumer-friendly device, many users are going to want to use it for personal e-mail, reading, online shopping, or playing games. This could be a problem in some regulated industries, such as medical and financial sectors, where sensitive financial data or medical records must be kept isolated. To keep regulators happy, employees can carry two devices - one for work, and one for personal use. Or they can logically isolate the corporate environment from the personal environment on the same device, Reed says. This would allow employees to bring their personal devices to work. When employees leave the company, just the corporate environment would be deleted. "With an employee-owned iPad, I can do a selective wipe and leave all the personal data in place - the personal iTunes account and Angry Birds," Reed says.
4. Route e-mails through company servers. Out of the box, the iPad is designed to work with personal e-mail services, but it can also be configured to work just with corporate e-mail systems - or to have access to both on the same device. "The nice thing is that you can force all e-mails to be routed through your server and you will already have compliance and archiving on that e-mail server," Reed says.
5. Authentication and authorization. Companies are used to having a second authentication factor on desktops and laptops - digital certificates, one-time passcodes, smart card readers. "But on a mobile device, it's often just a login with your ID and password," says Jeff Kalwerisky, Chief Security Evangelist for Alpha Software. But many two-factor systems can work on the iPad as well, he added. These include one-time passwords from RSA or VeriSign devices, or confirmation messages to a separate cell phone. "The cell phone is a very clever second factor," Kalwerisky says. "If someone stole your iPad but didn't have your cell phone, they wouldn't be able to log in. And it's a cell phone - everybody has got one."