Gartner advises caution on new iPhone's place in companies

The enhanced security features built into Apple's new iPhone 3G will enable the devices to be connected more securely into corporate networks. But that doesn't mean they should immediately be given the same kind of broad access to internal applications that PCs typically enjoy, according to Gartner analysts.

For now, at least, the iPhone remains largely untested from a corporate security standpoint, Gartner analyst Ken Dulaney said after Apple's iPhone 3G announcement this week. He added that although Apple's upgraded handheld may be capable of doing many of the same things that a laptop or desktop PC can do, it has yet to be proven that the iPhone can be locked down in the same manner as PCs can be.

As a result, it may be better for companies to consider providing iPhone access to only a limited set of applications, such as Exchange and Apple's Mail e-mail client, instead of opening up their entire networks to the device, Dulaney said.

"Much about being secure is being consistent," Dulaney said. "If you have two platforms, a PC and a handheld -- one of which has years of improvements in security and is very mature, against one that is barely a year old -- you are only going to be as secure as the second piece of hardware."

Among the most significant of the enhancements is support for Cisco Systems' IPSec VPN technology, which will let iPhones connect securely to enterprise networks and communicate using IP-based encryption. The new hardware-software tandem also supports wireless network services via the enterprise version of the Wi-Fi Protected Access 2 protocol, featuring 802.1X-based authentication. In addition, it offers a remote wipe capability for erasing data if a device is lost or stolen. Those functions are all considered crucial for corporate users.

"Cisco IPSec VPN gets you most of the corporate world," said Glenn Edens, an independent mobile device consultant. Provisioning and configuration management capabilities are also "very well done" on the iPhone 3G, Eden said via e-mail. "It is probably good enough for Department of Defense applications," he added, pointing to the fact that the US military was one of the beta users showcased during the iPhone 3G launch at Apple's Worldwide Developers Conference in San Francisco.

At the product announcement, Bob Borchers, senior director of Apple's iPhone business line, claimed that the security capabilities in the new iPhone will be sufficient for companies looking to adopt the device internally. He noted, for example, that the iPhone 3G and iPhone 2.0 technologies have managed to "attract the interest of" eight of the biggest banks in the US.

John Pescatore, another Gartner analyst, acknowledged Apple's focus on enhancing the security features and the policy management and enforcement capabilities in the new iPhone. Apple has narrowed much of the security gap that existed previously between its handheld and rival products, Pescatore said. But he added that the iPhone still doesn't offer quite the same level of security as either BlackBerry or Windows Mobile devices do.

One major issue that remains for the iPhone is the relative lack of third-party security software, such as antivirus and encryption tools, Pescatore said. By comparison, such products tools are readily available for BlackBerry and Windows Mobile devices.

Because of the iPhone's relatively small presence within companies, it also has yet to be widely checked for vulnerabilities by third-party penetration testers or even by malicious attackers, according to Pescatore. "There's been no pounding on the software yet, or third parties who have been brought in to validate the security," he said.

Page Break

However, Edens dismissed such concerns and said that many of the third-party tools available for other mobile devices are designed to fix "basic security flaws" in individual products. In contrast, the iPhone is secure out of the box, he said.

Nonetheless, the upcoming release of the iPhone 3G increases the need for companies to pay attention to potential security issues surrounding its use by their workers, said Amrit Williams, chief technology officer at BigFix, a security vendor in the US.

Williams said that Apple's new support for third-generation wireless networks and for Microsoft's Exchange ActiveSync technology, which can be used to push e-mail to iPhones, means that the handheld is much more capable of storing, forwarding and manipulating data than it was before. But, he cautioned, those same capabilities also are likely to make the device a more appealing target for attackers.

"The iPhone is cool, and it is flashy," Williams said. But it also creates new avenues of attack that many enterprises are "just not ready to deal with," he added.

When Apple detailed the iPhone 3G, which will run the second-generation iPhone 2.0 software announced earlier this year, the company touted several new features that it said will make the device more suitable for enterprise uses.

Matt Hamblen contributed to this story.