Context research raises questions about tablet security for BYOD
Context Information Security (www.contextis.com) says it's identified security failings in three of the most popular tablets, raising concerns for organizations looking to introduce BYOD (Bring Your Own Device).
In the company's study, the Samsung Galaxy Tab was found to have serious weaknesses that make it difficult to recommend for use in the enterprise, according to Context. And while the iPad and BlackBerry PlayBook performed better, both still have security problems including desktop software that doesn't encrypt backups by default. The BlackBerry was the only device found to have a workable solution to BYOD and provide good separation between personal and work data.
The full Context report "Tablets - A Hard Pill to Swallow" can be downloaded at http://macte.ch/B92QZ .
Context found that while all three tablets have reasonably good support for Exchange ActiveSync, which means that the core security configurations can be managed from a central Exchange server, there are significant differences in security levels between the Galaxy tablet and the iPad and PlayBook. Context investigated a number of security controls to determine whether they were suitable for enterprise use. These included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.
Despite its popularity as a consumer device, the iPad was shown to have robust data protection and damage limitation facilities. However, vulnerabilities still include the regularity of new jailbreak attacks and ineffective disk encryption, unless a strong passcode policy is applied.
And although the iPad’s disk encryption scheme is well designed, the default behaviour for iTunes backups is to store the files in clear text; the same approach adopted for the BlackBerry. The Samsung Tablet does not ship with a locked bootloader and the disk encryption provides weaker support, which is more intrusive to use. Even when encryption is enabled on the Galaxy, it allows badly-written apps to store sensitive information on the unencrypted SD card, according to Context..
A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a problem shared with the iPad using Apple tools available, according to the research group. Context found that the BlackBerry is far more advanced in its level of readiness for BYOD than either of the other two tablets. Its Balance architecture in combination with the Bridge application, provide excellent logical and data separation between work and personal modes.
"It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before," says Jonathan Roach, Principal Consultant at Context and author of the report. "The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises."
Context was launched in 1998 and has a client base that includes blue chip companies, alongside government organizations.