Apple security not ready for enterprise prime-time

Sunday, September 21, 2008 by Mzer0 , , , , , , , , , , ,

Guest editorial by Andrew Storms

Apple security not ready for enterprise prime-timeLast week Apple proved that they are not ready for prime time enterprise relationships.

Apple has tried to position the iPhone as enterprise-ready, but this last round of software updates demonstrated beyond a shadow of a doubt how far they have to go to understand the enterprise mentality.

On September 9th, Apple released updates to some 20 security vulnerabilities that included updates to QuickTime, iTunes and other software. On September 12th, Apple released iPhone version 2.1, which was intended to fix 8 security holes and repair 3G connections problems. On September 15th, Apple released updates to OSX that includes fixes to nearly 70 security problems. On September 16th, Apple released updates to Remote Desktop, again fixing more security problems.


[ SEE: Apple plugs iPhone code execution holes ]

In the matter of 8 days, Apple released updates to every one of its major platforms and applications. Those updates included over 100 security updates spanning Mac OSX, Windows Vista, Windows XP, the iPhone and the iPod Touch. So how did that affect enterprise security teams?

On September 9th, security teams met, reviewed the updates, set priorities and assigned resources. Remember that unlike other vendors, Apple did not provide any advanced notification on timing or the magnitude of the updates. This update caught everyone off guard. Then again, without notice, security teams were brought back to the meeting room to discuss the updates on September 12th (repeat drill above). Then yes, you guessed it, same story again on September 15th and again on the16th. Who knows, maybe by the time this is published, there will be anothTime for Apple to embrace a security development lifecycleer update?

Every IT staff is already resource constrained and some teams always are in a passive firefighting mode. If your security team thought it was almost caught up with Apple updates already issued this year, the last week set you back significantly and probably pushed other, potentially critical, scheduled work into a wait state.

[ SEE: iPhone passcode lock rendered useless ]

Mind you that last week’s updates just didn’t stop at OSX. Even if you run a Windows shop that permits QuickTime or iTunes, you couldn’t ignore this torrent of updates. The impact of this random update cycle from Apple may be serious enough that some companies decide to limit or stop using Apple hardware or software entirely. After last week, IT teams running ragged by the deluge of unannounced patches are wishing they could make the policy decision to get all Apple software off the network. With this kind of uncertainty and apparent lack of planning, who can blame them?

Apple had an opportunity to embrace the enterprise by showing leadership in its software development lifecycle. And while we would never expect Apple to follow Microsoft’s footsteps, they could have learned what works and what doesn’t in the enterprise, and then in their Apple way, take it to the next level. I think that’s what many Mac fans in the IT department were hoping for. Too bad we had such a big let down last week.

[ SEE: Apple plugs gaping QuickTime security holes ]

We’d like to see Apple embrace public discourse regarding security updates. We respectfully suggest that Apple sit with enterprise managers, listen and then take the information they receive and build a process that doesn’t leave IT teams staggering.

Instead of wasting the valuable time and resources of their target customers, Apple could take the opportunity to perform the way they have done in other markets. This assumes that Apple can apply their creative, customer focused energy that has made them a powerhouse in the consumer market and put some of that effort into collaborative partnerships.

[ SEE: Apple mega-patch covers 34 Mac OS X security issues ]

We’d love to see Apple step up and change the game in software development lifecycle, or at least learn to play the game with the best of them. Apple, we’re rooting for you, but it’s gonna take a whole lot more than you’ve shown us so far. And we have to tell ya, hip and cool can only take you so far in the enterprise.

* Andrew Storms is director of security operations at nCircle, where he is responsible for setting and enforcing the company’s security compliance programs as well as overseeing day-to-day operations for the IT department. His writing can be found on nCircle’s 360 Security blog.

* Image source: charliekwalker’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

0 comments