Apple announced recently that it reached a new record. Users have downloaded two billion applications from the Apple App Store. A half-billion applications were downloaded this quarter alone. The numbers are impressive and there is no real end in sight.
Apple claims that 50 million devices are capable of running its applications, of which 30 million are iPhones and 20 million iPods. The App Store currently has 85,000 applications available for download. I predict that the number will increase dramatically now that Apple has recently made its latest development platform available to registered developers.
All this is good news, right? Let's look at the device. What do Apple iPhone users use their devices for? Everything. With the convergence of voice, video and data, users will store on these devices documents including contact information, personal documents, and e-mail, and that's just to start. What about the users that are storing client lists, personal information, IP data, and work e-mail on them? This device has a big red bulls-eye on it that says, "hack me and I'll bleed information."
Many enterprises are nervous about deploying the iPhone because of bugs and glitches. Just last month, Apple released 10 patches for the iPhone. This device is a security professional's nightmare. However, I am a true believer in enabling business and I think this device, if used properly, can be a business enabler. So what can we do?
I recommend that this device be treated like any PC in the enterprise. You wouldn't let users just download any application they wanted to their desktop. Therefore, we need to put the device through the same process we do with new applications for the desktop or server farm. There should be a development and test environment where the business, support, infrastructure, application staff, and security professionals can test applications thoroughly to understand their impact on the device and the data, before the end user gets the application.
Now, how do we handle the users who use their own devices vs. company-owned hardware? For varying situations, I offer the following:
- Let them use their own device and applications, but use Data Loss Prevention (DLP) software and limit which assets the user can access and download.
- Make it voluntary. If an employee wants to use their own phone, then they have the option to only run applications that the company approves. It would have to be a decent-sized list to make it worthwhile. In return, they can access more of the network.
- If it is a company-owned device, then you have complete control of what they download and access. Again, I would make the available application list decent-sized or else you will find yourself impeding business.
As I have said many times in the past, and probably will say many times in the future, the user is the weakest link in the security chain. It is way too easy for users to download applications onto an iPhone. We don't want to be an impediment to business, so let's help them get what they need to do business and protect the assets we need to protect by using a defined testing process. It will be a win-win for everyone.