Following the celebrity photo iCloud hack in August of 2014, Apple made some changes to its security systems and...
policies, including sending an email alert to users when their account is logged into. Unfortunately, there are flaws in this plan that may still allow attackers to access accounts without alerting users.
This tip examines the state of iCloud authentication, focusing on the key aspects of iCloud security that enterprises need to know. Are there ways in which its use can be condoned or at least tolerated in enterprise settings, or not? Are there ways to augment it with additional controls? This tip will also provide some guidance to enterprises on how to apply both technology and policy to reduce the risk of iCloud-related data loss.
ICloud security in the enterprise
Is iCloud really suitable for enterprises? Some organizations will prefer using more manageable services with enterprise security and monitoring features like Box.com or Google Drive, but there are many IT organizations allowing iCloud as part of BYOD initiatives. Apple is working to make iCloud more palatable to enterprises with iCloud Drive and Mail Drop, which can automatically sync large email attachments to iCloud drives.
The obvious next question: can it be properly secured? The good news is that Apple has added a number of security controls to strengthen iCloud accounts after the celebrity photo hack. Mail and notes are not encrypted within iCloud, but most other data is, including iCloud Drive and iCloud Backup data, calendars, contacts, bookmarks, photos and documents. All connectivity to iCloud also uses SSL for secure connectivity and transmission of data.
Apple has long required reasonably strong passwords for its iCloud services. All Apple ID access to iCloud requires a minimum of 8 characters, with complexity that includes an uppercase letter, a lowercase letter and a number. This isn't ideal, but it meets many current corporate password policies.
Additional security measures from Apple
The two biggest changes that Apple has made to enhance iCloud account security are alerts that are sent to users when certain login actions occur or when changes to account settings are made, and two-factor authentication for access to iCloud accounts. The alerting option requires users to verify their identity using a "known" device before they are allowed to make changes to their account information at My Apple ID, sign in to iCloud on a new device or at iCloud.com, or make an iTunes, iBooks or App Store purchase from a new device. The two-factor authentication addition can be enabled in the device's settings and is most often implemented with a PIN code sent via SMS to a mobile device. Alerts are sent to the primary account email when a login action is completed or changes are made to the account. There is a slight delay for these emails, and some hackers have argued that a compromised account could quickly be configured to send emails from Apple to a spam folder and prevent user detection.
How to reduce the security risk
Without the two-step verification, attackers could still easily brute force iCloud authentication, leading to the argument that Apple's security measures are still inadequate. How can organizations augment Apple's built-in controls? The only types of controls security teams could use to augment iCloud security are mobile device management (MDM) controls that enact iCloud use policy, and enforce local data protection and authentication options that supersede those of iCloud. There is no simple way for organizations to control individual user iCloud accounts, but setting a new policy that explains acceptable and prohibited use of cloud services, including iCloud, is a good start. Additional tools like traditional proxies and content filters, as well as more specialized options like Skyhigh Networks' content monitoring, can help detect and control use of iCloud services from wired and wireless corporate networks, although mobile networks will still be functional for users.
Compared to most enterprise storage options, iCloud has relatively immature security options available. For the most part, organizations will be better served with more secure options, but the new security features from Apple make iCloud a possible option, if not ideal.
Apple took steps to improve iCloud two-factor authentication after celebrity photo leak.