The iPad has company. As Carl Weinschenk mentioned in a blog post, dozens of new tablets were introduced at CES a few weeks ago. With all these new (and old) tablet options come new security issues, Nicholas Arvanitis, principal security consultant for Dimension Data Americas, told me. Security needs will differ between the different operating systems and brands. He said:
The key difference between different brands is that each brand essentially runs a different flavor of operating system. For example, the iPad runs Apple’s iOS operating system (as does the iPhone), while the new Samsung tablets are pegged to run a version of Android OS. RIM’s upcoming BlackBerry tablet will also run a separate operating system, as would any Windows-powered devices.
These platforms are different in architecture and in openness. Again, Apple’s iOS is unique to the iPhone and iPad devices, and is by nature a closed operating system. Android, on the other hand, is essentially a version of Linux developed to run on ARM processor architectures (most mobile devices and tablets run ARM CPUs).
Arvanitis added that all in all, the security risks associated with tablets will likely be similar to those faced by other computing devices, particularly mobile devices like smartphones. The main categories of risk are as follows:
Support and management of devices. Tablets do not always integrate cleanly with existing management and monitoring software and solutions; they may require third-party bolt-on software. You also run into users bringing personal devices into the enterprise and accessing corporate resources with essentially unmanaged devices.
Ownership of and responsibility for data stored on the devices. It is risky when employees bring personal devices into the enterprise, especially if it’s a highly regulated industry. There is a very blurry line around where responsibility lies.
Theft and loss. The form factor of these devices makes them easy to lose and misplace. They’re also attractive targets for theft – consider that most consumers control a lot of their lives from these devices and often store credentials (usernames and passwords) for many services on them.
User control over application (app) deployment. Solutions such as the Apple AppStore and Android Marketplace place control in the user’s hands over what software and code they run on their devices. This is often dangerous as the security and behavior of apps isn’t always fully vetted as would usually be the case with a managed corporate desktop. In addition, most of these apps are written and contributed by third parties or untrusted users; this elevates the risk of malicious code embedded in these apps.
Human weakness. Humans have always been the weakest link in security and attackers exploit this all the time. With an increase in consumerization of tablet platforms, the traditional SPAM, phishing, malicious apps and social engineering will shift to this new platform, and users may not recognize the signs as they would on a traditional system.
Untested platforms. The operating systems and these devices have recently exploded into popularity. Platforms such as iOS and Android have only recently started to garner interest from the security research community and the attacker base. This results in a clouded perception of the actual level of vulnerability of these devices.