Feeds

iPhones now 'safe' for Restricted UK.gov info, but not Secret

iOS 6 hasn't yet done the job on RIM

The Essential Guide to IT Transformation

UK government departments have a green light to use iPhones and other iOS 6 devices for handling sensitive emails. The move may encourage civil servants and ministers to toss their BlackBerries to the wind, provided they don't have to read anything that's more than mildly important.

For years RIM's BlackBerry handsets were the only mobile kit accredited for accessing sensitive information by the Communications-Electronics Security Group. CESG is a GCHQ branch tasked with shoring up computer defences in banks, power stations and other critical systems in Blighty.

But the long-term viability of RIM, which has suffered a steady decline in smartphone market share, and improvements in the security of the iPhone operating system iOS have prompted a rethink on the use of Cupertino's Jesus mobe in government.

In a statement, CESG explained that it updated its guidance on the suitability of iOS 6 devices (available for the iPhone 3GS onwards, and iPad 2 and later models) to support the handling of sensitive emails:

CESG is currently working on updates and enhancements to a number of our mobile security guidance documents. As part of this work CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails - up to and including Impact Level 3 depending on local risk management decisions. The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working

Government emails and documents are categorised into one of seven levels that describe the impact caused were the file to leak - from zero for no impact to six for severe. Level 3, now appropriate for accessing with iOS 6 devices, sits in the middle of this spectrum. Typically, information deemed protected, restricted, confidential, secret or top secret fall into levels 2, 3, 4, 5 and 6, respectively.

CESG recommends iPhones and iPads running the latest system of iOS are fortified with additional defences: network monitoring and protections need to be extended, and users should switch on security features bundled in iOS 6.

UK government departments use as many as 20,000 BlackBerry devices which are still considered secure - but the gap between RIM's and Apple's software is narrowing. iOS6 on its most restricted settings, perhaps enforced by third-party tools, is now considered a viable option for sensitive emails, at least.

Full device encryption; remote-wiping capabilities so data can be purged from lost or stolen devices; rock-solid separation of software into sandboxes; an operating system free of security holes; and locking down apps to prevent users from installing leaky apps are key features in any mobile OS to make it suitable for use in either government or large enterprises.

The government is also reportedly considering whether to open up the option of using smartphones running either Android or Windows mobile to handle sensitive information. This fits with the wider bring-your-own-device trend that IT managers in corporates have been grappling with for some months. Corporate security managers we've spoken to tend to accept the need to support email and calendar functions on users' own smartphones, tablets or laptops. Instant-messaging apps can sometimes fall into this category.

However corporates are far more reluctant when it comes to opening up sales, enterprise resource planning and supply-chain applications to phones they don’t own.

Rik Ferguson, director of research at net security firm Trend Micro, told El Reg that the quality of the mobile device management features bundled with iOS is approaching the sophistication of security features build into BlackBerry's technology, which hasn't been updated for some months.

Although iOS started off as a consumer technology, it is now possible to turn off features such as iCloud backups which would be a concern for any enterprise worried about keeping control of sensitive information in its own hands. It's also possible to disable application like Siri and prevent the installation of new unapproved apps among other features explained in greater depth in a security guide from Apple here.

Trend Micro's audit of the security of mobile OS earlier this year found BlackBerry to be the most secure, followed by iOS, Windows Mobile and Android.

Android is moving towards offering enterprise-friendly security features but is further back on this path than iOS. For example, Android only recently supported full device encryption. "iOS is a tight ship and closed but with Android there's no uniformity," according to Ferguson.

Windows Phone is "unproven" while the multiplicity of different versions of Android mean that any government accreditation would be for a specific version of the OS on a specific smartphone, according to Ferguson. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.