Apple’s new application-level encryption paves the way for companies to run business apps on the iPad
As global accounts director at Altus, Inc., Michelle Klatt’s job is to visit Fortune 500 companies and demonstrate her firm’s video management software. When the iPad came out a year ago, she was all over it.
“I was one of the first salespeople to get one,” she says. “I fought very hard.” Her company’s videos look “absolutely beautiful” on the iPad, she says. And once the sales presentation is over, she uses her iPad to update the Salesforce.com entry for the sales prospect, log the meeting, send out follow-up e-mails, manage herLinkedIn contacts, and do other job-related paperwork.
“I do everything on the iPad,” she says. “It’s really my laptop when I want it to be, but it’s far lighter.”
Klatt is at the leading edge of a growing wave of enterprise customers who are adopting the iPad for business use. “Enterprise CIOs are adding iPad to their approved device list at an amazing rate,” Apple CFO Peter Oppenheimer said recently. “Today, over 80% of the Fortune 100 are already deploying or piloting iPad, up from 65% in the September quarter. Some recent examples include JPMorgan Chase, Cardinal Health, Wells Fargo, Archer Daniels Midland, Sears Holdings and DuPont.”
A major reason that iPads are being accepted in the enterprise is that Apple significantly upgraded its iOS operating system last summer to include a number of enterprise-friendly security features.
“These include application-level encryption,” says Andrew Jaquith, CTO at Perimeter E-Security and former lead security analyst at Forrester Research. “This encrypts the content of each application’s data with a unique key, separating out each application’s data on the device.”
Encryption is built into the hardware, making it fast – and also making it easy for enterprises to wipe the device if it’s lost or stolen. “In a tenth of a second,” Jaquith says.
In addition, iOS 4 allows enterprises to impose security policies on their mobile devices. Policies can be imposed on all company-owned iPads and iPhones, or added to personal devices owned by employees.
They include setting a password lock, requiring a device to automatically erase company data after a certain number of failed logins, blocking camera access, or locking down the device to prevent users from installing unauthorized applications.
“It’s not as sophisticated as the Blackberry, which has something like 500 security settings,” Jaquith says. “But it has the important ones nailed.”
As a result, he says, the iPad is a pretty secure system, with a decent set of centralized, enterprise-friendly management tools, he says.
Still room for improvement
The iPad isn’t going to cut it for NSA-level, top secret applications that require separate levels of biometric authentication, he says. However, individual applications can ask for one-time passwords generated by RSA or VeriSign key fobs, or access confirmation delivered over a separate cell phone.
In addition, while iPad e-mail can be funneled through a company network – with all the monitoring, archiving and auditing already built into the enterprise gateways – text messages go out over less secure telephone networks.
“Many enterprises want to archive SMS messages as part of their compliance,” he says. “For example, you need to archive SMS if it’s used for your day trading business.”
The current version of the iPad also lacks a front-facing camera, which could be useful for face recognition biometric access control.
“That is supposed to be taken care of with the new version of the iPad,” he says. “When that happens, you may see some more focus from a third-party application perspective.”
Also, Apple needs to do more work to close down some of the jailbreaking access points that may allow rogue applications to get on a device, he says. But there are also ways for companies to run security scans to check if any devices have been jailbroken, he adds.
“Our verdict is that 90 to 95% of the companies are going to be very happy with the capabilities of the device, and all they need is help configuring their policies appropriately,” he says.
iPads in the field
There are two options for people like Klatt, who want to run Salesforce.com on their iPads. The Salesforce CRM app can run natively on the iPad. This allows users to access their CRM data when offline, but that convenience comes with a price — limited functionality. Klatt prefers to access Salesforce’s SAAS application via iPad’s built-in Safari browser. “I like to leverage the entire screen and get all the functionality,” she says.
Klatt bought the Wi-Fi-only version of the iPad, and uses it in conjunction with a Verizon MiFi card. In addition to her work-related tasks, she also uses the iPad for banking, personal e-mail, to look up flights while traveling, and to read magazines.
Unfortunately, the same factors that make the iPad so attractive to frequent travelers like Klatt – its light weight, ease of use and coolness – also make it popular with thieves. (Read “iPad security: How a hospital group treated trouble.”)
To keep customer data safe, experts say, enterprises should encrypt all sensitive communications in and out of the device, encrypt customer data and important documents that are stored on the device itself, use the strongest practical authentication mechanisms, and opt for cloud delivery of content rather than local storage, when available.
Traffic from an end user’s iPad to Salesforce.com and other CRM sites, as well as e-mail systems and enterprise application servers, travels over public networks – but the iPad’s built-in encryption makes these communications as secure as those from laptops or desktops, experts say.
Plus, the SaaS vendors provide their own layer of security. “The better cloud-type applications have built-in security,” says security expert Jeff Kalwerisky, Chief Security Evangelist for Alpha Software. “When you log in and you’re property authenticated, it switches to HTTPS, and that means it’s running secure. There’s no alternative to that. Unencrypted data over a public network is kind of like writing your Social Security number on a post card and putting it in the U.S. mail. The more mature applications, like Salesforce.com, automatically encrypt the data.”
However, many home-grown applications don’t have encryption built in, especially if they were originally developed for older, comparatively under-powered mobile devices, he says. Encryption would have slowed down the applications to the point where they were not usable. With the iPad, developers don’t have to compromise on encryption, he says.
“If you’re building your own app, that’s a big issue,” he says. “The beauty of the iPad is that it has powerful processors. It has the ability to do the encryption and decryption on the device.”
Flight from Flash
When it comes to CRM apps, one problem is that pages may have some Flash functionality – which is not currently supported on the iPad.
For example, SugarCRM uses Flash to create visual representations of data, says Martin Schneider, senior director of communications for SugarCRM.
“We’re making the move from Flash to an HTML 5 charting engine so you can see everything in its beautiful glory,” he says. This would allow iPad users to access the SugarCRM application directly via Safari – no need to download a separate application.
For users who must store data on the iPad itself – for example, if they’re flying to Asia and plan to use the time in the air to get some work done – there are third-party services such as that of Australia-based RhoLogic that allow SugarCRM data to be downloaded onto the iPad and stored in encrypted form.
Like SugarCRM and Salesforce.com, Pivotal CRM from Atlanta-based CDC Software also offers a choice of either a native iPad app or browser-based access.
“A lot of our customers, like CareerBuilder.com, have deployed it on the iPhone and are in the midst of testing on the iPad,” says Jason Rushforth, president of the company’s Pivotal CRM product.
The native app has the capability of downloading data and storing it locally so that sales teams can work on opportunities and queue up e-mails to be sent out even when they don’t have an Internet connection. All that data is encrypted, Rushforth adds