iPhone News Updated

There are lingering doubts about security and Apple's readiness to deal with large corporations

More than a week after Apple Inc. introduced iPhone 2.0 beta software with Exchange e-mail and powerful security tools, there are lingering questions over whether it can gain wide acceptance inside corporations for mission-critical needs.

An IT official at a major U.S. bank today said that the case for iPhone 2.0 internal deployment looks "less optimistic" than when the announcement was first made on March 6. That comment came after the bank's IT officials got a thorough review of the 2.0 beta from Apple officials earlier this week, partly to see if federal security requirements imposed on banks can be satisfied, said the official, who asked not be named, citing bank policies.

The bank's review of 2.0 software is not complete, and the official would not elaborate.

Industry analysts agreed that iPhone 2.0 is filled with important features needed by corporate users. But some corporations, such as financial services firms and hospitals, have more demanding requirements, including federal rules for protecting data.

At its announcement, Apple said Nike Inc. and The Walt Disney Co., among others, would be adding more iPhone users with the 2.0 release in late June. But the announced users so far do not face some of the tight regulatory scrutiny of banks particularly, some analysts said.

"I'd call it [iPhone 2.0] enterprise light," said Nathan Dyer, an analyst at Yankee Group Research Inc. in Boston, during a conference call with reporters and IT managers. "In financial and health care sectors, you're not going to see a huge uptick. It's certainly not for everyone."

Clearly, some analysts disagree, including Michael Gartenberg at Jupiter Research LLC, who said that when the CEO of a company buys an iPhone and wants to use it at work, "it becomes a de facto enterprise business tool." He added that the security in the iPhone "is certainly going to be good enough for most enterprises."

Apple officials would not respond to queries on this topic, referring a reporter to a webcast of the iPhone 2.0 announcement.

The announcement includes many important security features, but there might be some small gaps that would pose problems for the toughest customers, some analysts said. Included with Exchange ActiveSync will be the ability to remotely wipe data off an iPhone that is lost or stolen. A Cisco IPsec VPN will also provide encrypted access to private corporate networks.

But there is still the possibility, unlikely as it may be, that a user could drop an iPhone with data on its screen that can be intercepted by anyone. For that concern, IT managers could presumably set a function that requires re-authentication even after a very short lapse in time when the device is not used. However, it is not clear how that issue would be addressed, and Apple has not provided complete answers, analysts said.

Further, Kevin Coleman, a vice president of operations at Bluefire Security Technologies in Baltimore, questioned whether the device can wipe off data automatically after a certain amount of failed brute force authorization attempts.

Coleman also said that despite the VPN and over-the-air encryption, apparently there is still not encryption or a firewall capability on the device itself. Dyer said Yankee analysts have been told that the Cisco PIX (Private Internet Exchange) firewall will be used, although it is not clear if that firewall will satisfy all users.

Jack Gold, an analyst at J. Gold Associates, said today that the biggest security concern is how Apple plans to provide true data encryption of all data on the device. "Is it currently good enough?" he asked. "What if you download a patient file or a financial statement to the device and store it locally?"

Password protection on the device is fine, but Gold added, "that is usually insufficient for regulated industries" such as banks, hospitals and utilities. "Mission-critical security is something that no enterprise wants to compromise on," he said.

In response, Gartenberg said data encryption on the iPhone is "not much of a concern" because data can't be loaded onto it via a tiny SD card, as with many phones, simply because there is no SD card slot.

Gold and Dyer said the iPhone 2.0, as announced, still does not appear to have the same level of security as a BlackBerry, Windows Mobile or Symbian device. They said that the iPhone SDK will allow for third parties to build beefed-up security, but it could take some time to see what security applications are most effective.

"My advice to most enterprises would be to wait for better protection on the device before moving to endorse this as an enterprise-ready, mission-critical device," Gold said.

Beyond security, Dyer said there are many other factors that will limit enterprise adoption, including Apple's reliance on a single carrier, AT&T Inc., for cellular service. While the iPhone works on AT&T in the U.S. and several European carriers in Europe, Windows Mobile devices function on 170 operators' networks, and BlackBerry devices work on 300 operators' networks in 120 countries.

"Granted, it is the early days for iPhone, but it takes years to cultivate these carrier relationships, so you question if Apple is willing to put out that effort," Dyer said.

The inexperience with multiple carriers is an indication of a broader concern Apple faces with the iPhone in the enterprise, he added. Simply put, Apple doesn't have broad experience in IT shops. It also doesn't have a full set of explanations or examples of its ability to improve productivity and to provide a return on investment in order to be used by hundreds or thousands of users within a company, he said.

"It's still not seen as a legitimate solution by IT, which faces a steep learning curve in supporting it," Dyer added. "The lack of a cost of ownership story means it is a tough sell, in the near term, when compared to other platforms."

But Gartenberg had the last word on that issue, noting that the iPhone 2.0 will probably be bought by enlightened consumers who bring them to work and will want to use them for work tasks and then get paid back through an expense account rather than relying on IT to distribute them.

"They'll be asking, does it fit into the enterprise infrastructure? And the answer is, yes it does," he said.

[Thanks: http://www.computerworld.com/]