Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is iCloud authentication secure enough for enterprises?

ICloud authentication was called into question after the hack of celebrity photos, so is it secure enough for enterprises? Expert Dave Shackleford explains.

Following the celebrity photo iCloud hack in August of 2014, Apple made some changes to its security systems and...

policies, including sending an email alert to users when their account is logged into. Unfortunately, there are flaws in this plan that may still allow attackers to access accounts without alerting users.

This tip examines the state of iCloud authentication, focusing on the key aspects of iCloud security that enterprises need to know. Are there ways in which its use can be condoned or at least tolerated in enterprise settings, or not? Are there ways to augment it with additional controls? This tip will also provide some guidance to enterprises on how to apply both technology and policy to reduce the risk of iCloud-related data loss.

ICloud security in the enterprise

Is iCloud really suitable for enterprises? Some organizations will prefer using more manageable services with enterprise security and monitoring features like Box.com or Google Drive, but there are many IT organizations allowing iCloud as part of BYOD initiatives. Apple is working to make iCloud more palatable to enterprises with iCloud Drive and Mail Drop, which can automatically sync large email attachments to iCloud drives.

There is no simple way for organizations to control individual user iCloud accounts.

The obvious next question: can it be properly secured? The good news is that Apple has added a number of security controls to strengthen iCloud accounts after the celebrity photo hack. Mail and notes are not encrypted within iCloud, but most other data is, including iCloud Drive and iCloud Backup data, calendars, contacts, bookmarks, photos and documents. All connectivity to iCloud also uses SSL for secure connectivity and transmission of data.

Apple has long required reasonably strong passwords for its iCloud services. All Apple ID access to iCloud requires a minimum of 8 characters, with complexity that includes an uppercase letter, a lowercase letter and a number. This isn't ideal, but it meets many current corporate password policies.

Additional security measures from Apple

The two biggest changes that Apple has made to enhance iCloud account security are alerts that are sent to users when certain login actions occur or when changes to account settings are made, and two-factor authentication for access to iCloud accounts. The alerting option requires users to verify their identity using a "known" device before they are allowed to make changes to their account information at My Apple ID, sign in to iCloud on a new device or at iCloud.com, or make an iTunes, iBooks or App Store purchase from a new device. The two-factor authentication addition can be enabled in the device's settings and is most often implemented with a PIN code sent via SMS to a mobile device. Alerts are sent to the primary account email when a login action is completed or changes are made to the account. There is a slight delay for these emails, and some hackers have argued that a compromised account could quickly be configured to send emails from Apple to a spam folder and prevent user detection.

How to reduce the security risk

Without the two-step verification, attackers could still easily brute force iCloud authentication, leading to the argument that Apple's security measures are still inadequate. How can organizations augment Apple's built-in controls? The only types of controls security teams could use to augment iCloud security are mobile device management (MDM) controls that enact iCloud use policy, and enforce local data protection and authentication options that supersede those of iCloud. There is no simple way for organizations to control individual user iCloud accounts, but setting a new policy that explains acceptable and prohibited use of cloud services, including iCloud, is a good start. Additional tools like traditional proxies and content filters, as well as more specialized options like Skyhigh Networks' content monitoring, can help detect and control use of iCloud services from wired and wireless corporate networks, although mobile networks will still be functional for users.

Conclusion

Compared to most enterprise storage options, iCloud has relatively immature security options available. For the most part, organizations will be better served with more secure options, but the new security features from Apple make iCloud a possible option, if not ideal.

Next Steps

Apple took steps to improve iCloud two-factor authentication after celebrity photo leak.

Learn how to determine data value to reduce the damage of cloud breaches.

This was last published in January 2015

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

iCloud is secure. People are not. How much more simple can you get? This goes back to a piece I wrote at the time that said the weak link in any hack like this is the human. Did these folks post photos online? Did they have secure passwords? Yes and no, respectively. With that, data (photos or otherwise) are going to find their way into the hands of folks to whom they don't belong. If it were a supermarket shopping app that was hacked and people lost their shopping lists, would it be such a big deal? But I bet that stuff is no more secure than the photos in a badly passworded iCloud account.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close