Feeds

iPhones now 'safe' for Restricted UK.gov info, but not Secret

iOS 6 hasn't yet done the job on RIM

The essential guide to IT transformation

UK government departments have a green light to use iPhones and other iOS 6 devices for handling sensitive emails. The move may encourage civil servants and ministers to toss their BlackBerries to the wind, provided they don't have to read anything that's more than mildly important.

For years RIM's BlackBerry handsets were the only mobile kit accredited for accessing sensitive information by the Communications-Electronics Security Group. CESG is a GCHQ branch tasked with shoring up computer defences in banks, power stations and other critical systems in Blighty.

But the long-term viability of RIM, which has suffered a steady decline in smartphone market share, and improvements in the security of the iPhone operating system iOS have prompted a rethink on the use of Cupertino's Jesus mobe in government.

In a statement, CESG explained that it updated its guidance on the suitability of iOS 6 devices (available for the iPhone 3GS onwards, and iPad 2 and later models) to support the handling of sensitive emails:

CESG is currently working on updates and enhancements to a number of our mobile security guidance documents. As part of this work CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails - up to and including Impact Level 3 depending on local risk management decisions. The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working

Government emails and documents are categorised into one of seven levels that describe the impact caused were the file to leak - from zero for no impact to six for severe. Level 3, now appropriate for accessing with iOS 6 devices, sits in the middle of this spectrum. Typically, information deemed protected, restricted, confidential, secret or top secret fall into levels 2, 3, 4, 5 and 6, respectively.

CESG recommends iPhones and iPads running the latest system of iOS are fortified with additional defences: network monitoring and protections need to be extended, and users should switch on security features bundled in iOS 6.

UK government departments use as many as 20,000 BlackBerry devices which are still considered secure - but the gap between RIM's and Apple's software is narrowing. iOS6 on its most restricted settings, perhaps enforced by third-party tools, is now considered a viable option for sensitive emails, at least.

Full device encryption; remote-wiping capabilities so data can be purged from lost or stolen devices; rock-solid separation of software into sandboxes; an operating system free of security holes; and locking down apps to prevent users from installing leaky apps are key features in any mobile OS to make it suitable for use in either government or large enterprises.

The government is also reportedly considering whether to open up the option of using smartphones running either Android or Windows mobile to handle sensitive information. This fits with the wider bring-your-own-device trend that IT managers in corporates have been grappling with for some months. Corporate security managers we've spoken to tend to accept the need to support email and calendar functions on users' own smartphones, tablets or laptops. Instant-messaging apps can sometimes fall into this category.

However corporates are far more reluctant when it comes to opening up sales, enterprise resource planning and supply-chain applications to phones they don’t own.

Rik Ferguson, director of research at net security firm Trend Micro, told El Reg that the quality of the mobile device management features bundled with iOS is approaching the sophistication of security features build into BlackBerry's technology, which hasn't been updated for some months.

Although iOS started off as a consumer technology, it is now possible to turn off features such as iCloud backups which would be a concern for any enterprise worried about keeping control of sensitive information in its own hands. It's also possible to disable application like Siri and prevent the installation of new unapproved apps among other features explained in greater depth in a security guide from Apple here.

Trend Micro's audit of the security of mobile OS earlier this year found BlackBerry to be the most secure, followed by iOS, Windows Mobile and Android.

Android is moving towards offering enterprise-friendly security features but is further back on this path than iOS. For example, Android only recently supported full device encryption. "iOS is a tight ship and closed but with Android there's no uniformity," according to Ferguson.

Windows Phone is "unproven" while the multiplicity of different versions of Android mean that any government accreditation would be for a specific version of the OS on a specific smartphone, according to Ferguson. ®

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.