Can Your iPhone Really Be Made Secure?

June 25, 2009 by ADMIN
Share |

Britt Womelsdorf, Principal Systems Consultant, Sybase iAnywhere

Learn More about Sybase Products

Anyone in the security field will tell you that information security is affected and addressed at multiple layers within a solution.

As part of the evaluation process for an enterprise business solution, particularly one that enables the transport of potentially sensitive data outside the corporate network, a risk analysis should be conducted.

For the value that it adds, does the product being considered provide adequate controls to protect the enterprise from exposure?

As you probably know, Sybase iAnywhere is the first (and currently only) provider of an encrypted email client in the form of Mobile Office. Check it out, you can download it from AppStore right now.

Providing client-side encryption presented us with a vast array of challenges which were no small feat to overcome.

So does that make the iPhone secure?

My answer? It depends on your perspective, I believe so.

One aspect key to this evaluation is gaining an understanding the “security boundary” of a solution. Where does the security controls for the product stop and start?

For Mobile Office on iPhone, security is implemented on three levels:

  1. Unknown/rogue devices are not permitted to receive emails until they are first registered by an administrator on the Mobile Office system. Once registered, the registration code cannot be used by a different device, in fact it can’t even be re-used on the existing device.
  2. Data is transported to and from the device in a secure manner. There’s too much to go into here to provide much detail, but major features include a security friendly firewall configuration, authenticated proxy servers and packet level encryption (no WAP gap here!).
  3. Data in the Mobile Office sandbox is protected on multiple layers.

Item 3 needs more detail and is key to our approach. What’s a sandbox? Seriously, no jokes folks!

Java programmers are certainly familiar with the sandbox paradigm, but basically it refers to the philosophy that an application may have full access only to its own resources, and that access to other application and system resources is restricted.

Hence, do what you want in your sandbox, but don’t try and get out.

Mobile Office protects its sandbox on multiple layers:

  1. Access to the sandbox (via the Mobile Office application) is protected via an application password.
  2. All data within the sandbox is encrypted (with the exception of Contacts, which are technically stored outside the sandbox).
  3. No data is allowed into or out of the sandbox, unless it is delivered by the Mobile Office application. A prime example of this is attachments - attachments can’t get into the sandbox unless they are delivered by Mobile Office, and once delivered they cannot be saved outside the sandox.
  4. The act of “wiping’ the sandbox clears only the sandbox contents and doesn’t affect the rest of the device (the exception again, is Contacts, which we DO wipe)

We believe that this design provides the best of all possible worlds and successfully walks the line of being able to provide enterprise security services to a device that is employee owned.

More than any other device I’ve seen in the industry, there is an almost feverish belief in a user’s mind that the device is “MINE!” whether they paid for it or not. In my mind it’s the most popular Prosumer device on the market presently.

Mobile Office allows the device to continue to be “MINE!”, but with the assurance that enterprise data is protected.

So yes, I do believe that within our security context, Mobile Office does make the iPhone secure:  We keep rogue devices out, protect the data we send while it’s in transit and we protect it while it’s on the device.

What more could you want?

Britt Womelsdorf works for Sybase as a systems consultant.  Britt enjoys a focus on wireless and mobile solutions for the enterprise customer, and is an expert on device management and security.  Britt spends most on his time with Afaria customers and enjoys sharing tips and tricks, little known features in Afaria, and creative uses of the product.

Sybase iAnywhere, a subsidiary of Sybase, Inc. (NYSE:SY), enables success at the front lines of business. The company holds worldwide market leadership positions in mobile and embedded databases, mobile management and security, mobile email, mobile middleware and synchronization, and Bluetooth® and infrared protocol technologies. Sybase iAnywhere plays an important role in the Sybase Unwired Enterprise strategy, which focuses on managing and mobilizing information from the data center to the point of action. Tens of millions of mobile devices and over 20,000 customers and partners rely on the company’s “Always Available” technologies, including Sybase Unwired Platform, SQL Anywhere, Afaria and iAnywhere Mobile Office.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Britt Womelsdorf, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, Sarbanes-Oxley, Sybase, Uncategorized, hackers, identity-theft, malware, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!