Computerworld

Beware of the iCloud

iCloud raises serious questions: what does Apple plan to do to deliver a secure experience? What do businesses need to do to protect sensitive corporate data

ICloud, Apple's new cloud storage service, which officially launches this week, is an iPad/iPhone lover's dream and IT security professional's nightmare.

Apple's breathless marketing pitch says it all: "iCloud stores your music, photos, apps, calendars, documents and more. And wirelessly pushes them to all your devices - automatically. It's the easiest way to manage your content. Because you don't have to.''

How do you stay secure with Apple iCloud?

At first blush, iCloud, which will be free with iOS 5, sounds great. All services previously available under Apple's MobileMe system will be moved over, including contacts, calendar, and email. All apps and ebooks will be instantly available on up to 10 linked devices. Users will get 5GB of free storage - but content purchased from Apple doesn't count toward this total. For an extra fee, users can buy additional storage. There's also the iTunes Match service, which makes personal music collections, including music not purchased through iTunes, available through the cloud.

There are other vendors offering cloud-based storage - DropBox, Box.net, and Mozy, among dozens of others. But the only competitor to offer close to the range of functionality offered by Apple is Amazon, with its Cloud Drive product.

Like iCloud, Amazon Cloud Drive offers 5GB of free storage, and unlimited free storage for all digital content purchased through Amazon. Additional storage is less expensive with Amazon - $20 for an additional 20GB, while Apple's preliminary release indicates $40 per year for an additional 20GB.

But the big difference between Apple iCloud and Amazon - and all other online backup systems - is that iCloud's functionality will be very tightly integrated with both Apple devices and third-party applications. For example, app developers could use the iCloud to store data such as high scores and in-game credits, without having to set up their own Web services. Users would be automatically signed in the minute they opened the app - no need to create new user accounts for each game or application.

Similarly, users will no longer need to connect their iPhones or iPads to a computer to do a backup of the device. Instead, synching will happen automatically, wirelessly, and in the background.

With Apple iCloud, it's a one-stop-shop, says Brian Greenberg, CEO of storage vendor General Systems Dynamics. "Other cloud platforms have some of the services that iCloud will have, but not everything... Though we're used to using multiple services for different products, having to log into different sites for all these services can complicate life."

One company already planning to take advantage of the new features is Munich-based Algoriddim, which makes consumer audio software.

"We have the Djay app on the Mac, iPhone and iPad, with slightly different features and price points," says Frederik Seiffert, the company's head of product development. "What we plan to do is give the user a seamless experience when they use our app on different platforms. Some users might use the iPhone version to try out mixing some songs while they're on the bus. Later on, when they're at home or in the club and DJ'ing live, or Mac or iPad version would have those markers, those queue points, automatically synched."

The users won't need to set up a new user account when they first use the app, and Algoriddim won't need to set up its own Web-based synching functionality, he says, benefitting everyone involved.

"It's a natural progression for Apple and validates where technology is going in general these days," says Ed Laczynski, vice president of cloud strategy for Datapipe, a Jersey City, N.J.-based IT and cloud services provider. "I have some of the beta stuff from them, playing around with the SDK [software development kit], and it's finally going to untether the iPhone from the computer."

Datapipe uses iPads as presentation devices in its conference rooms, loading them up with marketing materials and supplementary documents.

"This cloud capability will make it even easier for us to deploy [an iPad]," he says. "We can sync it up without having to physically connect it to the computer."

Page Break

The enterprise nightmare scenario

Then there's this scenario. You're at your office Mac, working on a sensitive company document. Now, there's a copy of the document automatically pushed to your iPad, which a family member borrowed and took to Starbucks. There's a copy on your home Macbook, which your teenager is using. Oh, and there's a copy on your iPhone, which you just left in a cab.

ICloud raises serious questions in terms of what Apple plans to do to deliver a secure experience, and what enterprises need to do to protect sensitive corporate data.

"How does this use public key encryption for security?" asked Laczynski. "What is the data retention policy? And there are privacy and service concerns - basically, who has control of my data?"

How to protect smartphones and tablets

He adds, "I don't think Apple is going to come out on day one with a product that's compliant with every regime out there.'' Apple spokeswoman Trudy Miller declined to provide any information about whether any enterprise-friendly security or management features would be part of the Apple rollout.

The lack of information is hurting enterprise-focused developers, as well. "We're in the developer program, and they haven't shared anything with us, either," says Jim Prothe, senior marketing manager, at cloud consulting firm Model Metrics. "Unfortunately, Apple has not been as forthcoming about iCloud security as it has been for previous issues of iOS. I haven't seen any resources made available yet for iOS 5 and iCloud."

One anonymous source close to Apple did offer the following: "There are plans to have some enterprise-level management features at some point in the future." But the source declined to provide any specifics. "Being who they are, I'm sure their cloud service will follow every security standard and even more, it's part of what they do."

Getting proactive

Model Metrics' Prothe recommends that companies review their mobile device policies, and find out how many iOS devices are being used for business purposes.

If the devices are owned by the company, employees can be required to use strong passwords that expire regularly, implement remote wipe for lost devices, and encrypt data stored on the device.

"If it's an enterprise [owned] device, with enterprise deployment, then you can enforce such a policy pretty easily," he says.

Some companies also allow employees to buy their own devices and bring them to work, however.

"If it's a personal device, it's up to IT to limit how much access the device has to network resources," Prothe says.

For example, if employees are allowed to access company documents via iOS-based productivity applications, iCloud's synching could put copies of the documents on the employee's other devices, as well as in the iCloud itself. "If they don't put security controls in place, that could be a problem," he says.

Companies that are under particular constraints are likely to already have security controls in place.

"Banks are not going to let you bring in any old device and hook it into the banking network," says Bart Narter, senior vice president of the banking group at Celent, a research firm.

Instead, banks would issue separate, business-only mobile devices, he says.

Automatic synching and backups also pose another potential problem for enterprises - a spike in usage of the corporate wireless networks.

"The iPhones and iPads automatically downloading music and videos can clog up bandwidth," says Winston Damarillo, CEO of Morphlabs, which help companies deploy cloud-based applications.

Page Break

Third-party solutions

However, there is help for companies that have user-owned devices in the enterprise. A number of vendors offer tools that can help isolate company information on these devices, remote wipe just the company data when employees leave, and ensure that the information stays safe and secure.

For example, Morphlabs itself is an all-Mac company where iOS devices are common. "Part of our policy for data retention and security is to require people never to synch up their data to iDisk or iCloud or DropBox," Damarillo says. "They can only synch up via Box.net, which I can manage centrally. ICloud is great, and we say, put all your non-enterprise personal content on the iCloud, but if you use documents that belong to the enteprise for work purposes, it goes through Box.net."

Damarillo himself uses both. His personal e-books are synched to the iCloud, and everything he uses for work goes on Box.net. "I wouldn't advise any company to use iCloud for enterprise content," he says. "It's not designed for that. There's no controls for it."

Meanwhile, Box.net is getting ready to improve security further. "ICloud doesn't have access to the data stored in our Box app on iOS," says Box.net co-founder and CEO Aaron Levie. "We will also be working with mobile device management vendors to ensure security policies are consistent between the enterprise and the Box app, as well as offering services in the Box Enterprise edition to ensure end to end management of content on any mobile device."

Dayvia Nelson, marketing manager at Cloudworks, a provider of virtual desktop software, is an iCloud fan. "I started out as a Mobile.Me customer, and it had become a little difficult to constantly sync information from the iPhone to the laptop," she says. "And with the iPad, it's even more cumbersome having to plug it in and having it sync. Now it happens automatically, and pushes automatically to the other devices."

But when it comes to business apps, Nelson uses her own company's tools to access corporate documents via a virtual desktop. She can use QuickBooks, Microsoft Office, PowerPoint, and Excel, and the data is kept in the Cloudworks cloud, logically segregated from other companies' data. Cloudworks has enterprise-grade security - including SAS 70, PCI and Sarbanes-Oxley compliance. One customer uses it for medical documents that require HIPAA compliance, she adds, and the data center has gone through that audit process as well.

Corporate data or documents are never stored on the mobile device, she says. "All the information is stored in our environment. If a person is terminated, they disable the account."

As a result, when her iPhone or iPad is backed up to the iCloud, only personal files are touched.

Other vendors that provide security and management for iOS devices include MobileIron, RhoLogic, Good Technology and BoxTone.