The Hazy Prospect of iCloud Security

As I’ve blogged about before, I love my iPhone and my iPad. Now Apple is really swinging for the fences, with its new iCloud service. iCloud, of course, is the wireless data storage and device synchronization service announced by Steve Jobs last month at Apple’s Worldwide Developers Conference. It’s scheduled for release this fall along with Apple’s new mobile operating system, iOS 5. I watched the keynote with considerable interest, in part because this is unquestionably a great consumer service, and partly because, as hard as I listened, I don’t think I heard Mr. Jobs say the word security even once.

By all appearances, iCloud will be a perfect example of the cloud’s promise and potential. It will provide online storage and backup for music, photos, documents, apps, contacts, calendar and other personal data, with an automated synchronization layer that keeps a user’s content seamlessly available and up-to-date across up to ten different devices. The base service with 5 GB of storage and an email account will be free to anyone who buys a new iPhone, iPad or Mac.

For those of us who own several iOS devices, all our content, data and personal information will be seamlessly available, no matter which of those devices we have in hand at the moment. If we lose a device, our content, applications and settings can be quickly restored on our replacement. Any song or app we purchase on one device will be available on any other, all linked under our Apple IDs. Pretty cool stuff. The company expects 150 million users will sign up in the first month.

But how will this look to the enterprise IT departments that have finally been opening up to iDevices? Several features are sure to cause alarm. Document synchronization, for one, will be enabled by default. Any company document downloaded to or created on a device running iCloud may be automatically uploaded to Apple’s cloud and synchronized to an unknown number of other devices. Device backup will copy a wide range of user and application data to the cloud. All of this information will be automatically moved out of the enterprise environment and secured by only an Apple user ID. Hello data leakage. Good-bye compliance

Apple does say that document synchronization can be disabled, but there’s no word yet regarding how, or whether we can expect any centralized tools for managing iCloud access and user behavior.

Granted, user access to cloud storage platforms is already a problem, but the combination of iCloud’s automated features, the sheer number of expected users and the near ubiquity of iOS devices will dwarf anything we’ve experienced before. And it’s coming our way this fall.

If only iCloud promised the range of intelligence we’ve been advocating within the concept of WorkloadIQ. What if every file, document and data record that made its way into iCloud had identity and security information associated with it? What if enterprise policies could constrain access, transfer and replication, no matter where that information came to rest? What if applications and storage platforms could communicate and collaborate to recognize ownership and enforce rights?

Then I think we could say that every iCloud really did have a silver lining.

–Richard