Apple security not ready for enterprise

Tag : apple
September 19th, 2008 Apple security not ready for enterprise prime-time
Posted by Ryan Naraine @ 7:46 am
Categories: Uncategorized
Tags: Update , Apple Inc. , September , Security , Ryan Naraine
Guest editorial by Andrew Storms
Last week Apple proved that they are not ready for prime timeenterprise relationships.
Apple has tried to position the iPhone as enterprise-ready, butthis last round of software updates demonstrated beyond a shadow ofa doubt how far they have to go to understand the enterprisementality.
On September 9th, Apple released updates to some 20 security vulnerabilities that included updates to QuickTime , iTunes and other software. On September 12th, Apple released iPhone version 2.1 , which was intended to fix 8 security holes and repair 3Gconnections problems. On September 15th, Apple released updates toOSX that includes fixes to nearly 70 security problems. OnSeptember 16th, Apple released updates to Remote Desktop, againfixing more security problems.

[ SEE: Apple plugs iPhone code execution holes ]
In the matter of 8 days, Apple released updates to every one of itsmajor platforms and applications. Those updates included over 100security updates spanning Mac OSX, Windows Vista, Windows XP, theiPhone and the iPod Touch. So how did that affect enterprisesecurity teams?
On September 9th, security teams met, reviewed the updates, setpriorities and assigned resources. Remember that unlike othervendors, Apple did not provide any advanced notification on timingor the magnitude of the updates. This update caught everyone offguard. Then again, without notice, security teams were brought backto the meeting room to discuss the updates on September 12th(repeat drill above). Then yes, you guessed it, same story again onSeptember 15th and again on the16th. Who knows, maybe by the timethis is published, there will be anoth er update?
Every IT staff is already resource constrained and some teamsalways are in a passive firefighting mode. If your security teamthought it was almost caught up with Apple updates already issuedthis year, the last week set you back significantly and probablypushed other, potentially critical, scheduled work into a waitstate.
[ SEE: iPhone passcode lock rendered useless ]
Mind you that last week’s updates just didn’t stop atOSX. Even if you run a Windows shop that permits QuickTime oriTunes, you couldn’t ignore this torrent of updates. Theimpact of this random update cycle from Apple may be serious enoughthat some companies decide to limit or stop using Apple hardware orsoftware entirely. After last week, IT teams running ragged by thedeluge of unannounced patches are wishing they could make thepolicy decision to get all Apple software off the network. Withthis kind of uncertainty and apparent lack of planning, who canblame them?
Apple had an opportunity to embrace the enterprise by showingleadership in its software development lifecycle. And while wewould never expect Apple to follow Microsoft’s footsteps,they could have learned what works and what doesn’t in theenterprise, and then in their Apple way, take it to the next level.I think that’s what many Mac fans in the IT department werehoping for. Too bad we had such a big let down last week.
[ SEE: Apple plugs gaping QuickTime security holes ]
We’d like to see Apple embrace public discourse regardingsecurity updates. We respectfully suggest that Apple sit withenterprise managers, listen and then take the information theyreceive and build a process that doesn’t leave IT teamsstaggering.
Instead of wasting the valuable time and resources of their targetcustomers, Apple could take the opportunity to perform the way theyhave done in other markets. This assumes that Apple can apply theircreative, customer focused energy that has made them a powerhousein the consumer market and put some of that effort intocollaborative partnerships.
[ SEE: Apple mega-patch covers 34 Mac OS X security issues ]
We’d love to see Apple step up and change the game insoftware development lifecycle, or at least learn to play the gamewith the best of them. Apple, we’re rooting for you, butit’s gonna take a whole lot more than you’ve shown usso far. And we have to tell ya, hip and cool can only take you sofar in the enterprise.
* Andrew Storms is director of security operations at nCircle,where he is responsible for setting and enforcing thecompany’s security compliance programs as well as overseeingday-to-day operations for the IT department. His writing can befound on nCircle’s 360 Security blog.

* Image source: charliekwalker’s Flickr photostream (Creative Commons 2.0)