Friend or Foe? iPads in a Banking World

By: (CISSP, CISA, Security+)

Publication: The Colorado Banker , March/April 2011

As the instantaneous success of Apple’s iPad seems to confirm Steve Jobs’ striking resemblance to King Midas, many banks have broached the subject of whether or not iPads could or should be introduced on their networks…and why not? Their user-friendly interface draws in even the most technologically fearful executive or Board member. Their size has found the perfect median between our current mobile devices – easier to transport than a laptop and easier to read email or browse the web on than a smartphone. There is also the environmental benefit as pulling up documents or Board packets on an iPad saves money and trees previously spent on printing. It can’t hurt that the iPad’s sleek and cutting edge design will send the message that you too are avant-garde. But…let’s be honest…the most compelling reason we want an iPad is the same reason we want most things: all the cool kids are getting one.

Regardless of your motivations for introducing iPads to your network environment, it’s imperative that you consider the security implications before doing so. This is done through what is called a risk assessment. The following are a list of some security concerns that will need to be addressed:

Physical Security: As with any mobile device, the physical security controls you’ve placed at the bank (cameras, guards, etc.) will do little to protect your iPad and, more importantly, the information stored on your iPad from being lost or stolen. Apple has provided device and data protection to help keep information stored on your iPad safe. These include:

  • Passcode policies – Administrators have the ability to enforce length, complexity, aging, passcode history, and auto-lock. With the ability to enforce these policies centrally, you can also push configuration profiles to users and require an admin password to override security settings.
  • Encryption – The iPad ships with hardware –based encryption that works with a user’s passcode to prevent data from being accessed when the device is locked.
  • Remote wipe / local wipe – An administrator can issue a command from Microsoft Exchange to remove all data and deactivate the iPad. This can be done through Mobile Device Management solutions if Exchange services are not used. The device can also be configured to automatically wipe after a number of failed passcode attempts (local wipe).

Wireless / Network Security: Your users will be accessing bank information from various places, so it’s important that data in transit is kept secure as well. The iPad supports many security technologies and protocols to enable a secure connection for remote users. Apple can only do so much for you here though, as training your users never to connect to unknown or ad-hoc networks will go a long way in wireless protection.

Internet Security: Currently, the biggest projected vulnerability on the iPad is through browser-based vulnerabilities. These are vulnerabilities existing in an Internet browser (ex: Safari). Connecting any device to the Internet is opening it up to all kinds of malicious people all over the world, but there are ways to reduce your chances of being exploited through a browser-based vulnerability including:

  • iOS updates – These are used not only for feature enhancements, but will also include patching vulnerabilities in Safari and should be installed in a timely manner.
  • Web content filtering – Several apps have been developed to implement web tracking reports and even block certain categories of web sites. These types of sites are not only reputational issues, but also tend to be the best places to find malicious software.
  • User training – Technical controls like passcodes and iOS updates are great, but if your users will click on any email or Internet link without verifying authenticity, this puts the information on your iPad at a much greater risk of being compromised. User training is extremely important when you allow confidential customer and bank information to leave the protection of your network and your building with your employees.

iPads have quickly gained a following since their release last year. They can provide easy and convenient access to information with the touch of the screen. Convenience and security tend to be inversely related, though, so it’s important that you consider the risks involved and adjust your policies, controls, and user training accordingly.