Apple security not ready for enterprise prime-time

Apple security not ready for enterprise prime-time

Summary: Guest editorial by Andrew StormsLast week Apple proved that they are not ready for prime time enterprise relationships.Apple has tried to position the iPhone as enterprise-ready, but this last round of software updates demonstrated beyond a shadow of a doubt how far they have to go to understand the enterprise mentality.

SHARE:
TOPICS: Apple, Security
78

Guest editorial by Andrew Storms

Apple security not ready for enterprise prime-timeLast week Apple proved that they are not ready for prime time enterprise relationships.

Apple has tried to position the iPhone as enterprise-ready, but this last round of software updates demonstrated beyond a shadow of a doubt how far they have to go to understand the enterprise mentality.

On September 9th, Apple released updates to some 20 security vulnerabilities that included updates to QuickTime, iTunes and other software. On September 12th, Apple released iPhone version 2.1, which was intended to fix 8 security holes and repair 3G connections problems. On September 15th, Apple released updates to OSX that includes fixes to nearly 70 security problems. On September 16th, Apple released updates to Remote Desktop, again fixing more security problems.

[ SEE: Apple plugs iPhone code execution holes ]

In the matter of 8 days, Apple released updates to every one of its major platforms and applications. Those updates included over 100 security updates spanning Mac OSX, Windows Vista, Windows XP, the iPhone and the iPod Touch. So how did that affect enterprise security teams?

On September 9th, security teams met, reviewed the updates, set priorities and assigned resources. Remember that unlike other vendors, Apple did not provide any advanced notification on timing or the magnitude of the updates. This update caught everyone off guard. Then again, without notice, security teams were brought back to the meeting room to discuss the updates on September 12th (repeat drill above). Then yes, you guessed it, same story again on September 15th and again on the16th. Who knows, maybe by the time this is published, there will be anothTime for Apple to embrace a security development lifecycleer update?

Every IT staff is already resource constrained and some teams always are in a passive firefighting mode. If your security team thought it was almost caught up with Apple updates already issued this year, the last week set you back significantly and probably pushed other, potentially critical, scheduled work into a wait state.

[ SEE: iPhone passcode lock rendered useless ]

Mind you that last week's updates just didn't stop at OSX. Even if you run a Windows shop that permits QuickTime or iTunes, you couldn't ignore this torrent of updates. The impact of this random update cycle from Apple may be serious enough that some companies decide to limit or stop using Apple hardware or software entirely. After last week, IT teams running ragged by the deluge of unannounced patches are wishing they could make the policy decision to get all Apple software off the network. With this kind of uncertainty and apparent lack of planning, who can blame them?

Apple had an opportunity to embrace the enterprise by showing leadership in its software development lifecycle. And while we would never expect Apple to follow Microsoft's footsteps, they could have learned what works and what doesn't in the enterprise, and then in their Apple way, take it to the next level. I think that's what many Mac fans in the IT department were hoping for. Too bad we had such a big let down last week.

[ SEE: Apple plugs gaping QuickTime security holes ]

We'd like to see Apple embrace public discourse regarding security updates. We respectfully suggest that Apple sit with enterprise managers, listen and then take the information they receive and build a process that doesn't leave IT teams staggering.

Instead of wasting the valuable time and resources of their target customers, Apple could take the opportunity to perform the way they have done in other markets. This assumes that Apple can apply their creative, customer focused energy that has made them a powerhouse in the consumer market and put some of that effort into collaborative partnerships.

[ SEE: Apple mega-patch covers 34 Mac OS X security issues ]

We'd love to see Apple step up and change the game in software development lifecycle, or at least learn to play the game with the best of them. Apple, we're rooting for you, but it's gonna take a whole lot more than you've shown us so far. And we have to tell ya, hip and cool can only take you so far in the enterprise.

* Andrew Storms is director of security operations at nCircle, where he is responsible for setting and enforcing the company's security compliance programs as well as overseeing day-to-day operations for the IT department. His writing can be found on nCircle's 360 Security blog.

* Image source: charliekwalker's Flickr photostream (Creative Commons 2.0)

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • No win for anyone.

    So nobody can win no matter what track they take. Apple gets nailed by IT departments whining about how security updates are random, not on a specified schedule, and they're unable to plan.

    Microsoft gets nailed by IT departments whining about how security problems that have a solution are withheld until the scheduled patch Tuesday because they can't have it right away.

    Ya can't have it both ways, schmucks. I know that you (yes, YOU) aren't going to bend how you do your business for all your clients who whine every day about how you don't fit their exact, specific, individual need.

    In this case, I happen to agree with how Microsoft handles the situation. But everything has a trade off. You want a reliable cycle you can schedule around? Then you're gonna wait for some things. You want things right away? Then they're gonna surprise you when they show up.

    Welcome to reality where you don't control every aspect of your world.
    jaskelling
    • Right away?

      Considering Apple's 9/15 patch covered 34 vulnerabilities, I don't think they're really releasing them as soon as they're ready. Sounds to me like they're pulling a partial Microsoft by holding the updates until they have a bunch of them ready, then dumping them on us. The only real difference is we know when Microsoft's are coming. Apple's just show up at their convenience.
      3D0G
    • Well said...

      (nt)
      IT_Guy_z
    • OS X Server has an Update Server similar to WSUS...

      OS X Server has an Update Server similar to WSUS so you can
      regulate which patches are distributed. If you want to set it
      up to only pass out patches every Tuesday like Microsoft,
      then go ahead and do that.
      olePigeon
  • Let me see if if I can decode this.

    If Apple chooses to act in any way
    different from Microsoft, then it
    must, by definition, be not ready for
    Enterprise? Did I get that right?

    Of Course, since many Enterprise
    companies are still refusing to use
    Microsoft Vista, Then Microsoft is
    not yet ready for Enterprise either.

    Therefore, we must conclude that
    no company is ready for Enterprise.
    Right?

    Or is that Enterprise Pundits just
    needed something to bash Apple
    over? How dare Apple not treat
    them as the special people they are?
    UrbanBard
    • Not ready for the Enterprise?

      Vista seems to be working great in this enterprise. We don't have issues with it at all and the patch schedule is clearly defined for us. I believe that Apple is reluctant to set up a schedule like this as it would indicate that they need to update just like Windows and no one at Apple wants to admit that their is patching that needs to be done on all their products. I just think it is funny how much patching they are having to do even when their market share is still low, I'd hate to see these products on the market with a share like windows, it would be an avalanche of updates. I think its also funny how the itunes 8 update had a notoriusly buggy driver added to it so that the commercials they produce can have some kind of traction to them. Not a one crash on Vista since I loaded it on my notebook over 8 months ago. Wow, I'm just lucky so spare me.
      OhTheHumanity
    • More "Not ready for the enterprise"?

      [i]Of Course, since many Enterprise companies are still refusing to use Microsoft Vista, Then Microsoft is not yet ready for Enterprise either.[/i]

      Um, not quite.

      ...since many Enterprise companies are still refusing to use Microsoft [b]Vista[/b], Then Microsoft [b][u] Vista [/u][/b] is not yet ready for Enterprise either.

      Considering Windows XP and (still) Windows 2000 are in (probably) 80% of the US enterprise market, and (probably) nearly that of the world enterprise market, I'd say Microsoft is ready for the enterprise.
      MGP2
    • Plus, of course, Vista's corporate share...

      ...continues to increase.
      Sleeper Service
    • Logical Mastermind

      if that was their only product; i'd say you were right. Since Vista is not MS's only product and there is no question you know that, I'd say you're intentionally being stupid.

      I don't bash Apple because os7 didn't do TCP/IP totally right, do I? Maybe that's because OSX does it fairly well.

      There's a principle of charity to making an argument. When you assume the weakest point simply to make your argument look stronger to ignorant people (who may not actually know better) it says more to me about you than about MS or Apple.

      For the record, if Apple ever wants to be taken seriously in the Enterprise markets, they are going to have to make some concessions to the Type A personality C-level execs who CAN make a difference. The details matter if you have a shop that operates as an independent factional business or a department that may be understaffed. It really wouldn't be that big a deal for them to have even one day a week to release patches.
      Hogleg
  • Release dates are irrelevant

    As long as the vendor has a mechanism like WSUS where IT can control when the update is deployed.
    Suicida|
    • Bingo

      The release has absolutely NO effect on the current machine
      configuration throughout the company. IT simply tests the
      update in their R&D then does a phased roll-out.

      Only a stupid company lets the vendor dictate their roll-out
      times.

      Here's how a competent It staff does it.

      Monday is our weekly OS X update meetings.

      "Any updates this week?"

      "Yeah, we had three"

      "OK, let's discuss and work the strategy."

      (strategizing occurs)

      "Great. Get to work. See you next week."

      This article is more evidence that 90% of everyone is
      incompetent.
      frgough
      • OS X Server has an Update Server...

        OS X Server has an Update Server. As an IT adminitrator, you
        can control which (if any) updates are pushed out, exactly
        like a WSUS server.

        Not to mention that both Altiris and LANdesk integrate with
        Apple's Update Server, so you can manage Apple updates
        even from a Windows machine.
        olePigeon
    • Which is included with OS X Server. [nt]

      [nt]
      olePigeon
  • RE: Apple security not ready for enterprise prime-time

    Here's your first mistake: "Instead of wasting the valuable
    time and resources of their target customers, Apple could
    take the opportunity to perform the way they have done in
    other markets.".

    The enterprise IS NOT a target market for Apple right now!
    It's incremental sales at this time nothing more.
    Jeffsters
  • Gosh Andrew, please tell us something we didn't already know!

    Apple software is little more than commercially made homebrew.

    Apple will always have a place in the homes of people who have no common sense, but in the enterprise?

    Please don't make me laugh.
    Scrat
    • Your Arrogance is Only Exceeded by

      your ignorance, Mr. Scrat. Clearly you were educated
      beyond your intelligence and I hope you are not in charge
      of anything important. Sorry to judge you harshly, but your
      comment is stupid. It's OK, I've been called an idiot and
      out of touch with reality just last week on here. If you say
      dumb things ya gotta expect to be shatupon.

      Mac users, you may not realize, are the same people that
      work in enterprises day in and day out. So you figure that
      these users shouldn't have the same computing experience
      at work as they do in their personal lives? And somehow
      they are too dumb to know what's good for them like you
      do. Aren't you just too precious! The guardian of common
      sense no less!

      Apple users, by demographic, tend to be anything but
      lacking common sense, or education, or salary. One may
      be your boss one day if you are lucky.


      Typical MCSE BS...thankfully your types are a dying breed.
      It's the enterprise that isn't ready. Many have been serving
      up the same old swill for so long they don't know how to
      do anything else.
      CowLauncher
      • Touch a nerve did he?

        {NT}
        Sleeper Service
    • Really...

      "Apple software is little more than commercially made
      homebrew.

      Apple will always have a place in the homes of people who
      have no common sense, but in the enterprise?

      Please don't make me laugh."

      Right. Let's ignore the tens of millions of zombie Windows
      machines out there which cost industry billions of dollars
      per year. Let's ignore then number of active Windows
      viruses (has it hit 1 million yet?). Let's ignore that you're an
      idiot if you run a Windows machine without multiple layers
      of security.

      Then, let's ignore the fact that the scariest threats on Mac
      OS X are either malware that might crash an application or
      malware which has the threat of eventually being converted
      into something damaging. Let's ignore the fact that there
      as never been a self-propogating virus for Mac OS X.

      I guess if you ignore all the facts, then maybe OS X isn't
      ready for the enterprise. But looking at the facts, that
      would be an insane conclusion.
      jragosta
      • Or, let's ignore

        that the number of active, in the wild viruses is a fraction of a fraction of the total. Let's also ignore that zombie botnet members are overwhelmingly XP RTM machines using little more than the original DevilsOwn corporate key, never patched and running AV that expired four years ago. Let's ignore that you're an idiot if your run any pc connected to a network without multiple layers of security.

        Then, let's ignore the fact that crashing an app is often the first step in exploiting it, and leaving an exploit or vulnerability unpatched for months on end would be disastrous if the marketshares were reversed.
        rtk
        • Yet..

          Microsoft (and other software houses) leave vulnerabilities unpatched for years.
          zkiwi