Businesses Can Disable iCloud But Won’t Gain Much Security In The Process

By

icloud-rain

 

There’s no doubt that iCloud offers some great value to Mac and iOS users. It even has some potential as a business tool. Unfortunately, like many other personal cloud services, iCloud presents some major securtiy concerns when it comes into the workplace – either on a user’s iOS device or on a business Mac or PC. Those concerns stem from the ability to sync business data to outside devices and computers as well as its capacity to archive some of that data on Apple’s iCloud servers.

Unlike most personal cloud products, which can be difficult to effectively disable in corporate or business settings, iCloud use can be restricted or blocked. That leaves IT departments with the question of whether or not iCloud access should be managed or disabled. It’s a tricky question, particularly in BYOD settings where the device belongs to a user and not the company. It’s made even trickier because the choices involved in managing iCloud are rather blunt in approach and don’t offer much in the way of fine tuning to specific needs.

There are a handful of areas where iCloud makes it easy to push business data off the network and sent to either Apple’s iCloud servers, a user’s other devices or computers, or both.

  • iCloud backup – iCloud devices can automatically backup all user data to Apple’s iCloud servers. This results in complete loss of control of any business data on the device and places in a data center where it could be visible to outsiders including Apple itself or any contractors or anyone with the original user’s Apple ID and password.
  • Backup to home device – The other alternatives, which are worth mentioning even thought they aren’t directly related to iCloud, are syncing an iOS device to a user’s home computer (wirelessly or by cable). Again this is a copy of all bussiness data on the device to a machine outside the network. That data may remain there even after a user leaves the company, may be stored in an unencrypted state, likely has no access control, and may never be securely erased. One option, at least for company-owned iPhones and iPads, is to require syncing to a work computer.
  • Personal data sync – iCloud offers the ability to sync personal data like contacts, calendars, bookmarks, notes and so forth. For the most part, these are major red flag concerns and can be somwhat mitigated by MDM tools that tied business source data to a user’s account, making it possible to revoke access from a managed if a person leaves without removing personal data.
  • App data sync – iCloud allows app developers to sync general app data (configuration, user account, etc.) as well as collections of documents between multiple iOS devices. To date, Apple hasn’t tied Mac document syncing into Lion or apps like Pages, Numbers, and Keynote. That said, the basic plumbing exists in Lion and it’s only a matter of time before Apple starts using it. Depending on which apps a user works with and their sync capabilities and options, this could send large amounts of data to other iOS devices where they could be copied off the device. This can already happen with the iOS versions if the iWork apps.
  • Photostream – Photostream doesn’t have much in the way of obvious workplace potential. That said, taking a photo is any quick and easy way to capture visual data for later use (white boards, documents, schedules, and so on) as well as to scan documents with the appropriate iOS apps or apps on a home computer. That can make it a concern, but it’s in the same league with people using phones or cameras to take and send pictures from the office.

In mitigating these concerns, there are currently only three enable/disable options as part of the iOS 5 device management framework for iCloud:

  • iCloud backup
  • App data and documents
  • Photostream

None of these offer no granular capabilities. Disabling iCloud backup means a user will need to backup/sync to a home or work computer and will most likely opt for home computer if the device in question is their personal iPhone, iPad, or iPod touch. Disabling add document and data sync shuts off syncing of all apps including iWork and third-party apps, be they personal or business related. Disbaling Photostream does just that – turns it off on the device.

It’s quite possible Apple will support some more granular capabilities in the future. The ability to specify which apps can sync data and documents seems like a natural fit. iCloud backup and Photostream probably wouldn’t benefit from more fine-turned controls. And although an option to backup to a company server in the manner of iCloud might be nice, I don’t see Apple offering it anytime soon.

This leaves IT between a rock and hard place. There is technically some security advantage to be gained by disabling all three features, but in practice disabling iCloud backup may just result in data being synced to a home Mac or PC with even less security. Similarly, disabling iCloud-enabled apps from syncing is likely to simply encourage the use of other cloud solutions for similar tasks (most Office-type apps beyond iWork already include syncing with Dropbox, Google Docs, and other services).

Ultimately, as with the concerns around other cloud services, the best option may be a proactive approach of engaging users rather than taking a blunt ax to iCloud. The exception, however, is regulated industries like healthcare where complinace with security and privacy rules requires that blunt ax and similar or strong security measures.

 

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.