Feeds

iPhones now 'safe' for Restricted UK.gov info, but not Secret

iOS 6 hasn't yet done the job on RIM

Beginner's guide to SSL certificates

UK government departments have a green light to use iPhones and other iOS 6 devices for handling sensitive emails. The move may encourage civil servants and ministers to toss their BlackBerries to the wind, provided they don't have to read anything that's more than mildly important.

For years RIM's BlackBerry handsets were the only mobile kit accredited for accessing sensitive information by the Communications-Electronics Security Group. CESG is a GCHQ branch tasked with shoring up computer defences in banks, power stations and other critical systems in Blighty.

But the long-term viability of RIM, which has suffered a steady decline in smartphone market share, and improvements in the security of the iPhone operating system iOS have prompted a rethink on the use of Cupertino's Jesus mobe in government.

In a statement, CESG explained that it updated its guidance on the suitability of iOS 6 devices (available for the iPhone 3GS onwards, and iPad 2 and later models) to support the handling of sensitive emails:

CESG is currently working on updates and enhancements to a number of our mobile security guidance documents. As part of this work CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails - up to and including Impact Level 3 depending on local risk management decisions. The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working

Government emails and documents are categorised into one of seven levels that describe the impact caused were the file to leak - from zero for no impact to six for severe. Level 3, now appropriate for accessing with iOS 6 devices, sits in the middle of this spectrum. Typically, information deemed protected, restricted, confidential, secret or top secret fall into levels 2, 3, 4, 5 and 6, respectively.

CESG recommends iPhones and iPads running the latest system of iOS are fortified with additional defences: network monitoring and protections need to be extended, and users should switch on security features bundled in iOS 6.

UK government departments use as many as 20,000 BlackBerry devices which are still considered secure - but the gap between RIM's and Apple's software is narrowing. iOS6 on its most restricted settings, perhaps enforced by third-party tools, is now considered a viable option for sensitive emails, at least.

Full device encryption; remote-wiping capabilities so data can be purged from lost or stolen devices; rock-solid separation of software into sandboxes; an operating system free of security holes; and locking down apps to prevent users from installing leaky apps are key features in any mobile OS to make it suitable for use in either government or large enterprises.

The government is also reportedly considering whether to open up the option of using smartphones running either Android or Windows mobile to handle sensitive information. This fits with the wider bring-your-own-device trend that IT managers in corporates have been grappling with for some months. Corporate security managers we've spoken to tend to accept the need to support email and calendar functions on users' own smartphones, tablets or laptops. Instant-messaging apps can sometimes fall into this category.

However corporates are far more reluctant when it comes to opening up sales, enterprise resource planning and supply-chain applications to phones they don’t own.

Rik Ferguson, director of research at net security firm Trend Micro, told El Reg that the quality of the mobile device management features bundled with iOS is approaching the sophistication of security features build into BlackBerry's technology, which hasn't been updated for some months.

Although iOS started off as a consumer technology, it is now possible to turn off features such as iCloud backups which would be a concern for any enterprise worried about keeping control of sensitive information in its own hands. It's also possible to disable application like Siri and prevent the installation of new unapproved apps among other features explained in greater depth in a security guide from Apple here.

Trend Micro's audit of the security of mobile OS earlier this year found BlackBerry to be the most secure, followed by iOS, Windows Mobile and Android.

Android is moving towards offering enterprise-friendly security features but is further back on this path than iOS. For example, Android only recently supported full device encryption. "iOS is a tight ship and closed but with Android there's no uniformity," according to Ferguson.

Windows Phone is "unproven" while the multiplicity of different versions of Android mean that any government accreditation would be for a specific version of the OS on a specific smartphone, according to Ferguson. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.