As far as most enterprise security officers are concerned, corporate data must be stored on company managed/controlled systems, eg the internal network. That’s the most basic interpretation of most policies. The definition of “systems” has widened recently to extend trust to the likes of Salesforce, Office365 or Google Apps. Indeed each of those services has had to jump through extensive hoops at the behest of corporate security and legal officers, to ensure the environments are suitable, approved and ‘proper’.
iCloud is something else. From the rather anecdotal conversations I’ve had with a few “CSOs”, iCloud is a substantial threat on quite a few points:
1) Corporate data is now likely to find its way quickly to the iCloud — and remain there through the use of all manner of apps (not least the iWork suite)
2) In most cases, the storage of data on iCloud is likely to be seamless handled, meaning the employee may well be unaware the data is being stored away from their device.
3) To make matters worse, the company doesn’t actually have access to its data stored on iCloud. No. The data has to be accessed through the independent employee owned iCloud account.
4) When the employee leaves, they take their iCloud credentials and all their data with them.
5) Policing the use of iCloud is likely to be substantially challenging. I’m sure there will be options available to switch this off as a policy, but I wonder how easy or widespread this will be.
6) It’s not as if iCloud is highly secure — the data is accessible with just an email and a password. In many cases, the employee’s 7-year-old is likely to know the access credentials — the same ones they use to buy level upgrades on Angry Birds.
7) There’s no visibility for the enterprise — they might have 5 employees each unknowingly storing the entire company customer record on iCloud. The enteprise can’t track or manage this.
The boundaries between enterprise and personal are seriously blurred with iCloud. I find this highly exciting as it forces a response. Indeed I’m not sure if a ‘kill it’ or ‘switch of iCloud’ mandate will be good enough — or be acceptable. I imagine that as apps and services develop they’re likely to want to depend more and more on the likes of iCloud. Reversing the dependence on iPad/iPhone as a result will be quite a challenge.
What’s the way ahead? Well I wonder how long enterprise will continue to tolerate ‘consumerisation’. I think it’s been fine up ’til now, with the odd exceptions. But can you really approve and allow your Chairman to (perhaps unwittingly) store draft acquisition papers or similar market moving data on his personal iCloud account?
As iCloud becomes even more integrated into the experience (think iOS 6 or iOS 7), will it be possible to explain to the Chairman that he has to give back his 4th generation iPad and stop using it?
Or will we see a radical adjustment to the current definitions and approaches we have surrounding enterprise security?
We just need one CEO to lose his iPad — well, actually — we just need someone to successfully crack the CEO’s ultra simple “david1978” password and log on to the CEO’s iCloud account to gain access to a crazy amount of data. One big meaningful headline and there will be pandemonium.
Can you imagine the social engineering involved in cracking the Coke CEO’s iCloud account? I’d imagine all you have to do is turn up at home to help fix the HiFi. Ask his wife for the iTunes password to check the sync is working (or some sort of nonsense) and boom, you’re in.
I’m particularly interested in whether I could theoretically ‘clone’ a device if I had their iCloud credentials and performed a restore?
In terms of the way forward, do you think we’re about to enter a more enlightened period where we extend trust and responsibility to employees (especially with the buy-your-own trend)? Or do you expect enterprises to get even more obsessive about their data control and management policies?
If so, where do we go with the consumerisation of IT trend?