The sensationalized leak of embarrassing photos of movie stars and models that was being called a breach of Apple’s iCloud service wasn’t really a breach in the technical sense.
Nothing that happened at Apple makes the cloud any more or less secure than it was already, which in the case of enterprise cloud services is actually pretty secure. But it does point out some vulnerabilities common to consumer cloud services.
Perhaps more important, the leak of those photos illustrates clearly why no one should be allowed to store sensitive business information on a consumer cloud site. This includes protected information such as health care data, credit card numbers or personally identifiable information such as Social Security numbers. So if your employees are stashing customer details on nearly any public cloud site, they should stop.
The reason these sites aren’t safe enough for business-critical data is that it’s too easy to break in. Nearly all of these sites require a user name in the form of an email address and a password.
There’s no provision for two-factor authentication on most sites, for example, so if someone can guess your password, he’s in. Unfortunately, because email addresses are by nature public, they provide very limited protection at best.
In the case of iCloud, this meant that anyone wanting to break into an iCloud account needed only to guess right. In fact, iCloud made this easy by having no limit to the number of times you could be wrong, so an easily obtained password-guessing program is all it would take.
A few minutes of repeated tries would allow an intruder to break into an iCloud user’s account to gain access to the details of their lives (or at least the details they had on their iPhone, which could be a lot).
A few days after the ruckus, Apple fixed the login process for iCloud, so now you get five tries at your password before you’re locked out. This will make password guessing a lot harder, but iCloud still uses your email address as its user name, and for many people, that’s no secret.
Fortunately, things are better in the enterprise. “When you look at public online file sharing, there’s a lot of risk,” explained Verizon’s managing director of security solutions engineering, Fawaz Rasheed. “The enterprise cloud has certain controls and design considerations to make sure that the data that resides there and that’s transferred back and forth is secure.”
Rasheed said that authentication in most enterprise cloud facilities is more secure because, among other things, it includes two-factor authentication.
iCloud Celebrity Photo Leak Not a General Security Threat to Cloud
He said it’s also necessary to encrypt the data both while it’s being transmitted and received to and from the cloud and while it resides there.
“Enterprise cloud services include asset control and identification,” Rasheed said, explaining that such services have strong oversight and that security is contained in a number of layers, including both data security and physical security. It’s critical that the entire cloud management infrastructure is secure, from the management consoles to the data and applications, he said.
Rasheed also noted that it’s important to make sure that your enterprise cloud provider meets federal standards, which includes requirements for auditing, access control, and physical and data security.
While meeting federal cloud standards doesn’t mean that a cloud service is impervious, it does mean that it’s unlikely anyone can penetrate the security without specialized knowledge and if someone does manage to get in it’s more likely the breach will be discovered immediately.
Of course, the very fact that data is located outside of the confines of your data center does add some risk. Part of the reason the cloud is so useful is because it can be accessed from anywhere, but that also means that, given the right expertise and resources, a breach remains technically possible. But as long as the risk is kept manageable, then the usefulness of the cloud offsets the risk.
Fortunately, you can manage the risk even in consumer-level cloud services. You can, for example, use an email address for your user name that isn’t public and that exists only for that purpose. Then, as long as the only person who knows it is you, it’s more secure.
You can also create two-factor authentication for your Apple ID, which will keep people from locking you out of your account. It will also keep anyone but you from making purchases using your Apple ID, and it may restrict access to your iCloud account, at least according to the tech support people at Apple. (Go to appleid.apple.com, sign in and follow the prompts to set up two-factor identification.)
But the real problem with any such cloud site, whether it’s created by Apple or another company, is that users tend to want convenience over security. This means that they have their phones set up so that all photos are copied to the cloud automatically, as are all emails and documents. Even text messages can be saved to the cloud automatically. When that happens and at the same time you don’t secure your data, it should be no surprise that someone eventually finds their way in.
Editor’s Note: This article was updated to correct the spelling of the name of Fawaz Rasheed, Verizon’s managing director of security solutions engineering.