Latest IT law, outsourcing and e-commerce legal updates
The Apple iPad & Safeguards Against The Associated Risks
Posted 5th August 2010 by Jagvinder Kang, Director
With the iPad having launched in the UK, and assured to generate the same euphoria that it has already achieved in the USA, it is important for organisations not to lose sight of key security, legal and practical safeguards.
The portability of the iPad is both a strength of the device, as well as a factor which gives rise to the risk of theft or loss of the device. There are certain minimum safeguards that businesses should therefore consider.
This edition of the Technology Column therefore considers certain of these risks and possible safeguards.
The risks one associates with theft, loss, security or IT policy breaches, with mobile devices, such as the iPad, include the following:
- Loss of corporate confidential information;
- Breach of Data Protection legislation in respect of lack of personal data security safeguards;
- Compromising data integrity if version control is not maintained between the device and other computers (eg laptop, desktop or server);
- Compliance with legal and regulatory requirements in respect of communications sent from the device;
- HR issues associated with internet use during work hours on the device.
iPad Security Safeguards
The iPad does contain a number of safeguards, which address certain of the above risks:
Passcode security: The device contains in-built passcode safeguards, to provide an initial level of security against unauthorised access to the device. This security can be set so that it activates automatically after a certain period of inactivity. The data can also be automatically erased if the incorrect passcode is entered a certain number of times — the data is erased by removal of the encryption key which is necessary to access the data, as the data is automatically encrypted using 256-bit AES encryption.
Businesses will also be able to undertake additional safeguards through Microsoft Exchange Server, including password expiration and refresh requirements.
- iPad application restrictions: The iPad can be set, so that restrictions on certain applications can be imposed, for example, preventing access to Safari (the iPad's built in web browser), YouTube and iTunes. Additional restrictions, such as permitting software installations on the device, can also be set.
Certain of these settings can be undertaken manually on the device, whilst additional restrictions can be imposed through configuration profiles (these configuration profiles are XML files which contain information such as: device restrictions, VPN settings, as well as authentication credentials to allow the iPad to communicate with the enterprise systems).
Data Protection safeguards:
- Encryption: The iPad offers 256-bit AES hardware data encryption encoding. This is automatically enabled at all times, and cannot be disabled by users. Data backed up to computers can also be set to be automatically encrypted during device synchronisation.
- Local/Remote wipe: The iPad also allows wiping of data, in the manner in which has already been referred to above. This can be undertaken at a local level if someone keys in several incorrect passcodes, or it can be undertaken remotely using the tools available in Exchange Server.
- The iPad is able to use a number of VPN (virtual private network) technologies, which allow for encryption of sensitive information during transmission. In addition, the iPad supports WPA2, which uses 128-bit AES encryption in respect of wi-fi networks.
Addressing other risks
Although the above offer certain safeguards, there are other measures which organisations may also wish to consider, including:
- Ensuring that the iPad is not treated as a mobile hard drive, with everything being included on it, as data security risks are obviously increased as a result;
- Activating location detection on the device, which might assist in narrowing down where a device is, soon after the loss of the device;
- From a data integrity perspective, businesses will want to ensure that there is proper version control between documents, when creating or modifying documents on the iPad and other computers;
- Businesses also need to ensure that they change the standard "Sent from iPad" default email signature block, to their corporate email footer, to address requirements such as: confidentiality notices, as well as requirements with regard to their legal status and details which must be displayed with regard to any professional regulatory body which they are governed by;
- The large screen of the iPad also makes internet and media browsing so much more practical, which may give rise to associated HR issues, with such employee use in the workplace. So businesses may feel that it is prudent to check and update their Employee IT Usage Policies.
Apple's innovation continues to be praiseworthy, but security with regard to the iPad will be a concern for many organisations. As more powerful and portable devices such as the iPad become available, it is important to keep in mind that confidential corporate information can also become inadvertently more portable! However, as has been mentioned above, there are clearly ways to alleviate such concerns, if businesses take appropriate measures.