The Apple iPad is on it’s way and thanks primarily to the iPhone revolution – it is guaranteed to break out of its consumer-oriented market and start showing up at work for many business.  “Resistance is futile,” a quote from Star Trek: The Next Generation comes to mind when thinking about the outcome of Apple’s device. Your business data will be assimilated, it is inevitable.

Despite the fact that Apple’s main target for the tablet is for a consumer-oriented device built for media consumption, emerging polls suggest that the leading reason that consumers want the iPad is specifically for work, with media consumption and game playing not far behind. Why not though? Notebook computers are heavy and unwieldy by comparison. The iPad is perfectly capable of performing most business tasks that roaming workers need it to, and it can do it on a device that is intuitive and instant-on. The device delivers a multitouch interface with 10 hours of battery life on a device that is even functional one-handed.

Andrew Storms, Director of Security Operations for nCircle, shared his thoughts on the iPad in the enterprise. “The biggest question I have about the iPad concerns is how it will be used. Either people will use it as a laptop replacement or they will use it as a supplementary tool in a few specific situations.” Storms clarified his concerns “This has everything to do with what kind of data ends up on the device and that’s the real concern for enterprise security. How enterprises treat the iPad from a policy perspective depends completely on what kind of data is on the device.”

Business and IT administrators have a good reason to be concerned as well. At the CanSecWest conference in Vancouver this week, a pair of security researchers were able to compromise a fully-updated iPhone 3GS in a matter of seconds, accessing the data contained on the hacked iPhone. The iPad is built on the same iPhone OS that was hacked. Bradley Anstis, vice president of technical strategy for M86 Security, agrees that there are some serious questions to be answered about protecting confidential or sensitive company data on a device like the iPad. Anstis commented to warn “It has a cool factor so expect senior executives to force it on IT to support this new device, or simply start using them in their corporate infrastructures.” Anstis recommends that IT admins consider the possible ramifications of the iPad and how to protect data that is on it. Businesses should define acceptable use for Web browsing with the device. Anstis explains “If the iPad is using the corporate Wi-Fi to access the Web, then this should be controlled by company’s current Web security technology, but what about Web surfing via the iPad’s 3G connection, that goes nowhere near the corporate infrastructure?”

By default, users with the iPads will want to sync up basic information like email, contacts, calendar events, etc. Users may also store files on the device and the company needs to determine how that information will be protected. The iPhone has presented many of the same concerns as the two devices use the same iPhone OS. The difference is that the iPhone while being a smartphone capable of much more than placing phone calls, is still too small to do much else from a practical perspective. The iPad represents a shift in how the iPhone OS will be put to use.

Whether or not Apple steps up with more business-friendly security controls for the iPad, they will almost certainly exist. The iPad is bound to be used as a business tool and companies will have to protect data, so there will have to be apps and tools that can accomplish that. M86 Security’s Anstis points one other sticky area for business use of the iPad. “If a device is supplied by the business, then you can reasonable expect that business to install security and control software on the device, but what about devices that are supplied by the employee? Also, who pays for the 3G connection? How can a company force control over 3G access in the workplace if it doesn’t pay for it?” Those are some very valid questions when it comes to protecting corporate data. Businesses have an obligation and possibly even a compliance mandate, to protect data, but they don’t have legal control over employee-owned equipment. Ensuring that data on the iPad is encrypted or otherwise protected could be an uphill battle that will need to be fought. Hopefully your company won’t end up like this: