Disclaimer to those of you reading this at my place of employment: Nothing in this post indicates a change to any existing corporate infosec policies… it is simply my first step in trying to figure out how to deal with those meddling kids and their durn iPads!
Just about everyone at my workplace carries around a notebook (of the dead-tree variety) to take notes during meetings. I’m sure that in the wrong hands, access to said notes could reveal information about the company that would better be left unrevealed to those outside our little commercial cabal. However, I have not (and would not, for fear of snickering) sent out an email warning employees not to use unauthorized paper based storage devices in the course of their work. As much as I would love to have a data leakage protection client (in this case, a security guy reading everything written in said notebooks as it is written and tearing out offending pages) and remote data destruction capabilities (security guy who sets notebook on fire if it is stolen), both the company and the employee might have some legitimate concerns about such an arrangement.
Which brings me to the iPad. I have using my shiny new iPad for the past few days to take notes at the CSO Perspectives 2010 conference and have come to the conclusion that it is a great device for the consumption of media as well as a great note taking tool. Which begs the question: How are notes taken on an electronic device (iPad, non company phone, non company laptop) different than those ensconced in dead-tree notebooks?
In some ways, a properly configured electronic device (one with a password required for access) seems to be a more secure note taking device that the trusty Moleskine. Should a nefarious person acquire my Moleskine, the only barriers between them and any juicy secrets contained therein are my atrocious handwriting and my use of eccentric and non standard abbreviations. Should the same evildoer swipe my spiffy new iPad, they would get 10 tries to guess my device passcode, after which all data on the device would be erased. Now, the passcode is only a 4 digit number, but the odds are that it would take more than 10 guesses for our evildoer to come up with the code.
Add the cloud, in the form of Evernote and other such services, and the issue gets a bit more complicated. Evernote has a great iPad app which allows you to take written and audio notes on the iPad, attach files to those notes and sync them with servers somewhere in the cloud. I love Evernote for personal stuff – it allows me to access notes from multiple devices and serves as an upgrade to my meatware memory. Of course, as a security professional, I know better than to save anything work related in my Evernote account. The web based Evernote client means that our hypothetical evildoer could access all of my notes (and search for the good stuff) if they could guess my password. I am not so sure that all of my colleagues would make the same risk/benefit calculation that I have.
So, as a paper notebook replacement, iPad seems to provide a reasonably secure place to take and keep personal notes if it is properly configured with a reasonable passcode and data erasure feature. It is important to understand that the protection provided by this configuration is not absolute… a variety of tools exist for the iPhone/iPad platform to extract data from these devices sans passcode, so a determined attacker will be able to get at your notes. My plan for the iPad as a notebook replacement?
- Configure a passcode and data delete policy as well as auto locking of the device.
- Using the device only for notes that I would be comfortable having written in my old Moleskine.
- Being aware that the security of notes in the cloud is outside of my control and not entrusting corporate info to cloud services.
Next step… how to communicate this use case to business people whose main focus is doing business… I feel another blog entry coming on here… but my next iPad piece will focus on another aspect of the device – as a way to carry around (and share) content. Stay tuned.