Securing Tablet Devices in the Enterprise – IT Security Managers are being Faced with a New Set of Challenges with the Rapid Adoption and Deployment of Tablet Devices in the Enterprise
If the recent Consumer Electronics Show in Las Vegas taught us anything, it’s that 2011 is poised to become the year of the tablet computer. Apple’s iPad, expected to sell approximately 20 million units this year, primed the market when it launched almost a year ago. Consumers are excited about the stylish new touch-screen gadgets, so it’s not a surprise that many other major manufacturers now also want a piece of the market, with CES seeing the launch of tablets from the likes of Dell, Research in Motion, LG, Motorola and others.
Far from dismissing iPads as little more than consumer toys, some businesses have been quick to seize on the versatility of the form factor for carrying out important tasks while on the move or around a meeting table. It’s a fact that tablets are already in the enterprise, and in significant volume that will only grow over the coming years. More than a quarter of all tablets sold this year will be bought by enterprises, according to recent research from Deloitte. It’s all part of the trend of what some call “user-driven IT,” where more and more enterprise technology procurement decisions are influenced by the tastes and self-defined needs of users, instead of coming exclusively from the IT department. Uptake of tablet use in enterprises will likely also increase as more vendors such as RIM, which have been historically perceived as more business friendly, bring tablets to market.
Unique Security Challenges for Tablets
Like laptops, cell phones and smart phones before them, tablets are set to become the must-have mobile business productivity tool for information workers within many enterprises. And like any new technology that enters the enterprise, the tablet will bring with it its own set of security challenges. History has proven, for example, that malicious hackers and malware creators will attempt to target any new platform that gains broad adoption. The threat level for tablets today is still low, but that could change quickly. While anti-virus vendors will no doubt all soon support tablet platforms, the amount of malware targeting those devices today is so low that many enterprises will decide that installing such protection is not worth the performance hit the software can cause.
But malware is not the primary security concern for tablet-friendly enterprises. While not quite as powerful as today’s business PC, tablets typically have better capabilities than their hand-held cousins, making them more likely to be used to store and process potentially sensitive corporate data. Just as the loss or theft of smart phones and laptops can cause embarrassing and costly data leakage, tablets harbor the potential for being the quickest route for sensitive information to leave the controlled environment behind the enterprise network’s border.
The concept of an enterprise network having a perimeter has already been fuzzy for many years. The rise of Wi-Fi, steady adoption of hosted applications, an increasingly mobile workforce and telecommuting are all trends that have contributed to the blurring of the network’s edges. Dropping a few firewall/VPN boxes into the IT closet long ago ceased to be an effective security strategy. Enterprise adoption of the tablet, along with parallel trends such as the rise of cloud computing for critical applications, will only exacerbate this potential IT headache. With these shifts in technology, the security focus shifts from building up perimeter defenses to securing data, at rest and in transit, and the applications themselves. Data security is especially important in regulated industries such as financial services and healthcare; any such organization that has not already factored tablets into their compliance plans should do so immediately.
Securing Data Stored on Tablets
The most obvious way to secure the data stored on a tablet is to secure the device itself with strong access control and cryptography. Tablets used in the enterprise should be password-locked to reduce the risk of a lost or stolen device equating to lost or stolen data. To prevent opportunistic data theft, strong passwords should be enforced through policy and configuration (for example, via LDAP, where supported), password attempts should be limited, and suitable log-in time-out periods should be activated. In addition, enterprises should investigate tools to enable devices to be remotely or locally wiped in the event that they fall into the wrong hands. Administrators should ensure that all confidential data stored on tablets is subject to encryption as strong as their corporate policy or regulatory environment dictates.
One of the primary appeals of tablet computers, and the smart-phones they evolved from, are the thousands of applications available to consumers. The tablet user experience is such that users in many cases will be more likely to install new third-party applications on their devices than they would on their desktop computers or laptops. Enterprises may find that a white-listing regime under which only authorized apps are permitted to be installed and used is the most appropriate method of mitigating data leakage via rogue apps. However, administrators could at first find that, depending on platform, currently available tools may not enable as granular policies as they have become accustomed to in the PC world, and crude measures such as blocking all installations may not be compatible with a friendly and productive user experience.
These are all issues that security managers will be increasingly forced to consider as tablets begin to creep into their enterprises. Make no mistake, users want tablet PCs. The form factor is here to stay. The sooner security professionals accept this fact and adapt their policies accordingly, the less likely they are to face the fallout of a costly data breach.
