If IT departments had their way, most of us would still not be using our iPads to connect to anything business related. But fortunately, IT departments don’t call all the shots (and yes, this is being written by an IT guy). It’s tough to say “No” when the CEO comes to work with his newest iPad2 Father’s Day gift and says “Make this work!”
But don’t make the mistake of assuming that just because the iPad isn’t a typical computer, it isn’t a security risk. The iPad, and it’s Android and Blackberry kin, are all very much computers. They store both your private and business information. They store your emails messages, server information, passwords, contact lists, browser history, cookies, and so on.
iPads in particular make IT departments nervous because there’s no separation between private and business data. And there’s no control over what applications a user can install. The information saved your iPad is a complete copy of your digital data and it’s a gateway to any system it access information from, including your email and corporate network. And as such, it’s a risk and it’s vulnerable and it needs to be protected.
Here are some steps you should take to properly protect
the data on yore iPad
1. Implement a Passcode Lock
This is the most common technique and provides a basic level of security. Go to Settings -> General -> Passcode Lock to create a four digit code that will be required to turn on and wake up the device. You can set the idle time interval (the shorter, the more secure). The option to wipe the device if an incorrect code is entered 10 times should also be set. This will prevent someone from trying to guess your passcode with brute force.
2. Turn on FindMyiPad
What happens when you leave that brand new iPad in a taxi or at a restaurant? As long as you’ve activated the “Find My iPad” feature of Apple’s MobileMe service, you’ll be ok. Simply sign on to your MobileMe account and from there you can remotely lock the iPad (which shouldn’t be necessary if you followed step 1), have it play a sound (in case it’s somewhere nearby and not actually lost) and change the screen to a message of your choice (“Please call my owner at 555-555-5555″). And in case it doesn’t find it’s way home, you can remotely wipe all the data.
3. Sync Often
This isn’t so much security as it is a best usage practice. Every time you sync your iPad, it’s backup up to your computer. If it is ever lost or you have to wipe all the settings and data, you be able to restore everything you erased.
4. Continuously refresh policies
Policies define the settings in effect. They can be pushed to the iPAd in two ways. If the device is connected to Microsoft Exchange Server, the policies are pushed over the air to the iPad without any interaction by the user. The IT administrator can control what is in the policy as well as how often the policy is updated on the iPad.
Policies can also be distributed as part of a configuration profile (see below). The iPad should be set up with a profile that has been created and tested by the IT advisor to include the necessary security policies. The profile should then be protected as described in the next point.
5. Protect the configuration profile
The profile is an XML file that contains security policies, WiFi information, email and server information, VPN settings, authorization credentials, etc. This is the heart of what really needs to be protected. The profile should be signed and encrypted, which ensures that it cannot be altered in any way. They must initially be installed via a USB or ActiveSync connection, but can subsequently be updated via email attachment or a website.
The profile should be locked to the device, which would require the device to be wiped to remove it.
6. Use only secure wireless connections
This applies not only to the iPad to to any device, including your laptop, which uses a wireless connection. The Wi-Fi network at the local Starbucks is not secure. It’s all to easy with inexpensive software and some basic knowledge to have your data compromised. When connecting via a non-secured Wi-Fi network, be sure to use a VPN connection to ensure you data is secure and encrypted. If you don’t have access to a corporate VPN, there are public services available.