iPhone Security Debate Begs Bigger Consumer Device Question

Carl Weinschenk

This Computerworld story rings some pretty alarming security bells over the imminent release of the iPhone. The Apple device will be hot -- very hot -- which will make it very attractive to the dark side. People will bring it into the enterprise, which is worrisome since little information on security has been released by Apple. Finally, the iPhone runs the Mac OS X, so it may be vulnerable to malware that already exists for that platform.


Well, never mind, apparently. Others quoted in the piece make a persuasive case that the potential problems are not dire and that the iPhone doesn't necessarily pose a significant risk. Applications will be delivered over the Safari browser. The absence of a software developers kit (SDK), experts say, makes mischief much less likely. It is fair to point out, however, as this Security Pro News writer does, that using a browser as a conduit for applications doesn't eliminate all the danger. Indeed, a bunch of vulnerabilities to Safari recently were patched by Apple.


We will see what happens soon enough, since the iPhone is slated for release Friday. The issues of whether this phone poses no security threat, whether its arrival signals a crisis of massive proportions, or if the reality rests somewhere in between -- which of course is likely -- bring up something that is important for security staffs to keep in mind: Consumer gear invariably is used at work, and in most cases there isn't much the organization can do to stop it.


The best approach is to work with end users as new technology is introduced. In that way, at least the company has an inkling of what is living on its network. The most obvious example of what can happen is the case of rogue access points (APs), unauthorized wireless local area network (WLAN) hot spots that are set up by users. They generally are established for positive reasons, such as creating a sub network among a group of employees who sit near each other and work together closely. But if the IT department doesn't know about the network -- and if a consumer-grade AP is used -- it is a recipe for trouble.


IT must work with other departments to ensure that such unauthorized activities are kept to a minimum. To be sure, technical solutions can root out some unauthorized activities. That's good, but shouldn't be the main thrust of the organization's strategy. The IT department should work with human resources, senior management and other departments to create strong, comprehensive policies. More importantly, the policies should be enforced. The good news is that most folks will cooperate once they understand why it's important to track unauthorized gear.

Add Comment      Leave a comment on this blog post
Jul 3, 2007 3:08 AM Jeannette Rodkey Jeannette Rodkey  says:
Thank you for your perspective on this new technology. You're right on about the security issue here and your insight on taking IT security to a higher level than using only technology to protect enterprise networks. Until IT engages with the user community as an advocate partner, functioning to advise and guide their customers in best-business practices, security, and wading through new technology "hype", very little will be accomplished in stemming the tide of user-drivin technology pushes. And, (non-IT) business leaders need to embrace their IT organization and learn to think of them as more than a simple break/fix component. In order for a business to truly see ROI in their IT investments, they need to bring them to the table and together determine what is best for the company and agree on how to implement technology in a tested and controlled manner.JR Reply
Jul 10, 2007 8:54 AM Frank Lazar Frank Lazar  says:
I like this line "Finally, the iPhone runs the Mac OS X, so it may be vulnerable to malware that already exists for that platform." as if somehow Mac OSX had overnight mysteriously became the virus-ridden nightmare that all current and past incarnations of Windows have been. The most serious piece of virus, the only one described in the followup is an OpenOffice worm. The piece is accurate technically but the tone of presentation is classic FUD. Even the Safari update mentioned addresses more of a Windows update as there is no webkit handle to crank on OS X or the iPhone.Is the iPhone invulnerable, no. Are there potential risks? Of course but those risks should be presented in proper perspective. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.