Business use of the iPad and other neo-tablet computers creates a unique security environment mainly because of one important difference between them and laptops – most will not support multitasking. The iPad specifically does not, and it is very likely that neither the WebOS Hewlett-Packard tablet nor the Android-based Google tablet will. That leaves the promised Asus EeePad, which will run Windows 7, as the only potential market entry that definitely will be a multitasking machine.
This creates a unique security situation, with both good and bad aspects. Without multitasking these devices will not be able to run applications in background. That means they will not support the security strategy used on laptops, which depends heavily on security software running in background. On the other hand, they also will not run versions of today’s malware, which also runs in background. That means no keyloggers, botnets, etc.
That, however, does not mean that these devices will be safe from cyber crime. For a start they will be just as vulnerable as any other computer to phishing exploits and similar attacks that depend on deceiving the computer user. Cyber-criminals could create games and other apps that actually mask malware or find ways to add their malware to legitimate apps. They also may find ways to insert instructions into the tablet’s Web browser routing all Web calls through an intermediary URL, creating malware on the SaaS model.
This unique environment will require a new multilayered security strategy to protect business information, including business e-mail, chat, and IM as well as structured data. First, IT will need to centralize all data storage behind multiple defenses, and require strong identification from tablets requesting access. Business applications, and in particular front-end display systems for these neo-tablets, should be designed to prevent local storage of any data. This will protect data from exposure should a tablet be lost or stolen, which certainly will happen, as well as decreasing exposure to Internet-based cyber-crime.
Second, IT should require that all front-end business apps, whether written in-house or bought off-the-shelf, include built-in security to replace at least some of the security provided by independent applications on laptops.
Third, IT should consider using SaaS-based security to protect neo-tablets and business data from Internet-based exploits.
Finally, IT should seriously consider strong encryption for all data transmissions. This does add overhead and complications, which need to be managed, but it can also reduce exposure to data interception strategies from cyber criminals.
Action Item: None of this implies a panic situation. The first malware exploits for neo-tablets are probably still two years away at a minimum. What this does mean, however, is that data security should be designed into business strategies for using neo-tablets, and the technologies created to support those strategies, from the beginning. Security has always had to play catch-up on the desktop. This major platform change gives IT an opportunity to start off ahead of the criminals.