6 Sep 2011
iCloud’s Shadow on Security
Apple’s (Nasdaq: AAPL) announcement of its upcoming iCloud service has sparked a flurry of excitement in the industry.
Some analysts expect the iCloud will help Apple keep customers closer to its bosom — make them “stickier,” in analystspeak. Others think the iCloud will give a boost to cloud computing.
The iCloud will automate the backup and storage of data — music, photos and what-have-you — and make it easy to set up new iDevices because everything on a user’s old iDevice will be in the iCloud, and setting up the new one will simply be a matter of downloading that information.
iCloud will also automatically update all a user’s content and information, including documents created, and sync them across the user’s devices.
All of this sounds great for users, but its security implications are still uncertain.
With the increasing consumerization of the enterprise, iCloud has also raised questions regarding corporate security. As executives and workers use their iPads and iPhones in their daily work, is there a risk of corporate documents being accidentally exposed to outside eyes when devices are automatically synced on the iCloud?
Apple did not respond to requests for comment by press time.
Insecurity and the Cloud
“The advent of the cloud changes the focus of security onto the atomic components of individual machines and the data itself,” Al Maslowski-Yerges, director of consulting services at En Pointe Technologies, told MacNewsWorld.
“Depending on the trust application for applications that use iCloud, it has the potential to raise the risk level significantly,” Maslowski-Yerges said. “Without ways of securing data and the end points, it will be very hard to secure iCloud or any other similar service.”
Apple’s iCloud will accelerate the process of cloud services pouring into the corporate environment, Geoff Webb, product marketing director at Credant Technologies, told MacNewsWorld.
Hackers can launch attacks through any method of placing content, such as email, browsers, USB drives and removable media on an end user device, Maslowski-Yerges remarked.
The iCloud’s automated sync and backup features will “probably be very attractive to attackers,” Maslowski-Yerges concluded.
However, Gunter Ollmann, Damballa’s vice president of research, contends that iCloud is currently unattractive to attackers because it’s “essentially an online file storage system and access authorization service” that doesn’t appear to allow anonymous access.
It’s more likely that attackers will attempt to use iCloud to propagate malware among multiple devices belonging to a victim and “as a technique of remaining a persistent threat,” Ollman said.
“I’m more worried about two other areas,” Credant’s Webb said. “One is the increasing risk of sensitive information leaking out of the business via iCloud and the second is the possibility of iCloud itself becoming a target.”
The Danger of Devices
Apple’s iTunes store was reportedly hacked recently, and victims’ accounts were bilked for payments for Sega’s “Kingdom Conquest” game. Sega denied responsibility, stating the game would only be charged to a victim’s iTunes account if someone installed the app, logged into the victim’s account with valid credentials, then made a purchase.
Perhaps the crooks simply guessed the passwords on victims’ iDevices. iOS app developer Daniel Amitay found that 15 percent of iPhone owners used one of 10 four-digit numbers. These included “1234″ (a sequence often preprogrammed into devices at the factory) “0000,” “1111″ and “2222.”
Two other favorites were “0852″ and “2580,” both of which consist of selecting keys in one column of the iPhone’s keypad.
A Transformational Model
By its very nature, the iCloud could constitute another threat to enterprise security.
The iCloud changes the threat model from a distributed one, in which hackers have to target individual users or companies, to a centralized model, Andrew Storms, director of security operations for nCircle, told MacNewsWorld.
In a centralized model, all hackers need to do is focus their efforts on breaking into a hub — in this case, iCloud — in the hope of gaining access to data on millions of customers, Storms explained.
The chances of such an attack succeeding are high because iCloud is a free service, Storms contended. As such, it’s reasonable to assume that almost every Apple user will take advantage of the iCloud, he said.
However, the real issue is Apple’s lack of transparency around their security methodologies, Storms remarked.
“That means every iCloud and potential iCloud user is left to guessing about how safe their data will be,” Storms explained.
“Enterprise security teams, in particular, do not want to guess,” Storms said. “They want solid information so they can build it into the risk models they use to protect the business.”
Content Consumption Can Hurt
The management and control of confidential data and intellectual property are among the most difficult aspects of enterprise IT security, Storms said.
The iCloud’s autosyncing feature may possibly expose sensitive corporate information to unauthorized people.
“With iCloud being free and very easy to use, every iPhone and iPad user in your company will very probably be syncing their devices to the iCloud, and Apple hasn’t provided any tools the enterprise can use to control what kind of data can be stored in the iCloud,” Storms pointed out.
“The biggest worry has got to be around the document sync feature,” Credant’s Webb remarked.
“Businesses should be asking how this will affect their ability to lock down sensitive data,” Webb said. “They should also be very worried about compliance reporting.”