iCloud Celebrity Photo Leak Not a General Threat to the Cloud

NEWS ANALYSIS: The good news is that technically Apple's iCloud did not suffer a full-scale system breach, but Apple did need to fix its password security after a celebrity photo leak.

iCloud Leak 2

The sensationalized leak of embarrassing photos of movie stars and models that was being called a breach of Apple's iCloud service wasn't really a breach in the technical sense.

Nothing that happened at Apple makes the cloud any more or less secure than it was already, which in the case of enterprise cloud services is actually pretty secure. But it does point out some vulnerabilities common to consumer cloud services.

Perhaps more important, the leak of those photos illustrates clearly why no one should be allowed to store sensitive business information on a consumer cloud site. This includes protected information such as health care data, credit card numbers or personally identifiable information such as Social Security numbers. So if your employees are stashing customer details on nearly any public cloud site, they should stop.

The reason these sites aren't safe enough for business-critical data is that it's too easy to break in. Nearly all of these sites require a user name in the form of an email address and a password.

There's no provision for two-factor authentication on most sites, for example, so if someone can guess your password, he's in. Unfortunately, because email addresses are by nature public, they provide very limited protection at best.

In the case of iCloud, this meant that anyone wanting to break into an iCloud account needed only to guess right. In fact, iCloud made this easy by having no limit to the number of times you could be wrong, so an easily obtained password-guessing program is all it would take.

A few minutes of repeated tries would allow an intruder to break into an iCloud user's account to gain access to the details of their lives (or at least the details they had on their iPhone, which could be a lot).

A few days after the ruckus, Apple fixed the login process for iCloud, so now you get five tries at your password before you're locked out. This will make password guessing a lot harder, but iCloud still uses your email address as its user name, and for many people, that's no secret.

Fortunately, things are better in the enterprise. "When you look at public online file sharing, there's a lot of risk," explained Verizon's managing director of security solutions engineering, Fawaz Rasheed. "The enterprise cloud has certain controls and design considerations to make sure that the data that resides there and that's transferred back and forth is secure."

Rasheed said that authentication in most enterprise cloud facilities is more secure because, among other things, it includes two-factor authentication.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...