Few corporations are likely to ban iPods in the workplace, but whether Apple and other manufacturers of MP3 players shoulder some responsibility to add security to their devices – and how effective that security would be – is a growing debate.
Apple didn't return multiple inquiries asking about its stance on iPod security, but plenty of others are talking about what the company should or should not do to prevent its widely popular music player from being used as a data-transfer device for stealing sensitive corporate information. While this unintended use of the iPod is not exclusive to Apple's device – employees with malicious intent could steal data using any MP3 player, or any removable media for that matter – Apple has sold more than 100 million iPods, making it the obvious choice.
"My initial reaction was that Apple should have as much responsibility as SanDisk has for securing its USB thumb drives," says Kurt Tappe, Apple certified engineer with JP Morgan Chase, in an e-mail. "But then I remembered that iPods do not come out of their shipping containers with the ability to be used as data drives. The user must explicitly turn that function on in iTunes. To that end, it seems to me that Apple has already gone one step beyond other drive manufacturers."
An extensive search of the iPod and iTunes sections of Apple's Web site turned up no information about setting the devices for data transfer, but also did not warn against the potential for misuse when iPods are set as such.
Others say Apple may not be responsible for securing its device beyond the basic lock function that it comes with, but offering such features couldn't hurt. This could become particularly important as corporate IT departments begin to consider purchasing other Apple products, such as Mac desktops and servers , in helping Apple build confidence among security-conscious enterprises.
"I wouldn't put this responsibility on [Apple] as mandatory; I would prefer to see Apple offer it as an add-on feature and let the market dictate its usefulness," wrote Louis Tinto, risk manager and director of technology risk assessment with a large financial-services company, in an e-mail. He stresses that educating employees about corporate policies regarding use of such devices and having workers regularly attest to their understanding of such policies is the best first step to take in protecting against data theft via iPods.
Another important consideration for Apple is that some enterprises are beginning to use iPods as corporate devices and will want to integrate them into their security plans, so offering such protection could become a make-or-break issue for selling into these accounts.
According to a press release issued by NextSentry, which makes desktop software that prevents unauthorized copying of data to removable media and which issued the warning of iPods in the workplace, these devices have been purchased by the thousands by manufacturing companies, financial-services firms and healthcare suppliers as a means to train, educate and inform their employees.
While he believes Apple shouldn't be held responsible for how an iPod is used, one analyst says security should be an element of these types of devices.
"Smart, portable devices need protection from malware and misuse just as much as workstations, particularly as they are trusted to perform critical work-related functions," says Trent Henry, a senior Burton Group analyst, in an e-mail exchange. "Even the iPod can hold contacts as part of the operating system features. That's sensitive data that needs protection."
Still others say it's not Apple's place to provide enterprise-level security with a consumer device. Given the product's popularity in its current unsecured state, the company may not need to.
"There's no way Apple can anticipate the specific security needs of every Fortune 1000 company out there," says Tom Bennett, vice president of marketing with Oakley Networks, makers of data-leak prevention technology.
"I don't believe it is Apple's responsibility to ensure iPods are used for good any more than I believe it is Honda's responsibility to ensure a Civic is never used as a getaway car," agrees Brent Smithurst, vice president of technical operations with Faronics, which makes endpoint-security software for Macs to prevent unauthorized data transfer to devices. Smithurst wrote about the issue in a Blog posting Wednesday. "In both cases, the product is only a means of potentially enabling a type of behavior, but is not intended to encourage that behaviour."