Deployment of iPads
Lessons from the Trenches
Jim Horwath
March 2012
GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective






Overview of the iPad and the effect it will have on
business
Security risks of bringing a consumer oriented
device such as an iPad into a corporate
environment
Security and lack of controls on an iPad - what you
need to know
Operational costs and headaches associated with
deploying iPads to users
The management nightmare of deploying iPad patching, securing, keeping users safe from
themselves
This is NOT an explanation concerning iPad
forensics
SANS Technology Institute - Candidate for Master of Science Degree
2
The iPad Storm
•
•
•
•
•
•
Apple’s incredible sales numbers and market penetration
Time magazine gave the iPad one of the 50 best inventions of
2010
Medical, legal, and sales staff were early adopters of iPads
Apple’s App Store imposes censorship of content causing issues
with books and magazines
Closed system – but still more applications available for iOS
than Androids
No support for flash
SANS Technology Institute - Candidate for Master of Science Degree
3
Consumer Device – Security an
Afterthought
•


Penetration into Fortune 100 companies and other businesses
made iPads THE status symbol
Executives see convenience, increased productivity, and
freedom
Status symbol cost - This addictive appeal has a cost to it –
device + monthly fees

Default configuration has few security controls e.g. No password

Consumers want ease – especially younger users

Closed platform - not too much security information available

No anti-virus or malware controls
SANS Technology Institute - Candidate for Master of Science Degree
4
Policy Is Your Friend
•
Policy will become your best friend – develop early and involve
the right people

Acceptable Use Policy (AUP)

Change Management

Device is meant for employee use only – not spouse, children or
relatives

Security Awareness

Make users aware of common problems

Shoulder surfing – gets worse with complex passcodes
SANS Technology Institute - Candidate for Master of Science Degree
5
Security Issues - Strengths

Hardware encryption uses AES 256-bit encryption

APIs with the ability to lock-down access

Controlled environment with non-jailbroken devices

Applications receive a sandbox and are separate from each other

API provides a method for device lock/unlock/password
reset/wipe

Implementation and engineering guarded IP secret

Cellular communications harder (but not impossible) to capture

Need to test security controls very thoroughly and keep notes
regarding the test results
SANS Technology Institute - Candidate for Master of Science Degree
6
SANS Technology Institute - Candidate for Master of Science Degree
Security Issues - Challenges


Limited number of configurable items
There are items the user can change and there is no GPO-like
facility to reinforce settings

No logging or event log like facility

Implementation and engineering guarded IP secret




Bluecoat K9 to use as a WEB proxy – but user can choose not to
use it – you have to use a 3rd party product to enforce it
Companies lose control of data – dropbox, Google docs, iCloud
Alphanumeric credentials anywhere on the device echo
characters as you type them
No warning or acceptable banner, network connectivity is always
on
SANS Technology Institute - Candidate for Master of Science Degree
8
SANS Technology Institute - Candidate for Master of Science Degree
Infrastructure Issues
•
•
•
•
•
•
Where do employees sync devices
Is your corporate infrastructure ready for iTunes (packaging,
updates, etc.)
If iPad users sync to corporate assets, is your storage and
backup environment ready
Is there a business requirement to access internal resources example Citrix for applications
Can devices connect internally to wireless infrastructure – how
do you control it
Data leaves daily with employees and their iPads
SANS Technology Institute - Candidate for Master of Science Degree
10
Operational Challenges

Keeping iOS current – no mass distribution method

iOS 5.0 does allow software updates outside of iTunes

Apple provides a low-cost configuration utility iPhone
Configuration Utility (ICU)

Mobile Device Management (MDM) software is young

Creation of a “Gold Image” is difficult

iTunes and corporate acceptance


Backing up devices onto personal employee assets – who owns
the data
On corporate owned assets does your infrastructure allow for
the additional overhead of iTunes and backups
SANS Technology Institute - Candidate for Master of Science Degree
11
More Operational Challenges






Blocking pop-ups -- users cannot change it – blocking pop-ups
can stop things like SANS OnDemand from working
Very confusing with some terms: “Auto-Lock” and “GracePeriod”
How do you handle provisioning – corporate vs. personal
devices
What happens after employee separation, companies cannot
verify
License cost of software is unknown (productivity software for
example)
Decreases productivity for some workers
SANS Technology Institute - Candidate for Master of Science Degree
12
Hello Help Desk...
•
•
•
•
•
•
•
Users are scary
Problems range from common to the bizarre
Calling for device setup – most common
Documentation of common problems should be available to
users
Added cost to train help desk staff on iPad triage
Younger help desk staff are better than older staff due to
familiarity of the technology
Mail stopped and I need it now – the higher up the food
chain the more demanding the user
SANS Technology Institute - Candidate for Master of Science Degree
13
Enterprise Management of iPads







Apple provides iPhone Configuration Utility (ICU) – good for just
a few devices and proof of concepts
Mobile Device Management (MDM) products are young and lack
maturity
Some examples: McAfee, Sybase, Good, AirWatch, BoxTone
Microsoft Active Sync will allow any device with a valid user
name and password to connect
Lotus Notes requires granting access to Lotus traveler
How does this integrate into your authentication source
LDAP/AD/Domino LDAP/Token
Do your homework!
SANS Technology Institute - Candidate for Master of Science Degree
14
Mobile Device Management (MDM)
Software
•
•
•
•
•
•
•
Policy, awareness, education and AUP are critical
Managing a fleet of iPads requires management software
MDM market place is emerging and not mature
Employees – especially executives - quickly become “addicted”
to an iPad, stability is a key issue
Apple’s closed platform limits what vendors can do – most
vendors do the same thing
Managed service versus in-house, versus hybrid
Managing a fleet of iPads requires management software
SANS Technology Institute - Candidate for Master of Science Degree
15
MDM Lessons
•
•
•
•
•
•
•
Survey says e-mail and calendaring are the most important
applications to an executive
Be careful with demonstrations
Negotiations - be prepared for push-back on policies from
executive – they want convenience and not necessarily security
Field communications is critical – leverage company
communications and change management process
Implement a test environment that is similar to production
Be careful of firewall rules if using an in-house managed
product
Be very careful with destruction capabilities – a mistake can be
career ending
SANS Technology Institute - Candidate for Master of Science Degree
16
SANS Technology Institute - Candidate for Master of Science Degree
Summary

Mobile computing is here to stay – learn it, embrace it, and
control it the best you can

Mobile computing can give your firm a competitive advantage

Develop policy based on business need and use cases

Continual user education and awareness will go a long way

Invest in MDM software to manage devices

Avoid being an early adopter
SANS Technology Institute - Candidate for Master of Science Degree
18