In-depth

Lessons the enterprise can learn from the iCloud photo leak

iCloud security isn't the problem, argues Davey Winder. Lack of knowledge about how to implement it is

The supposed Apple iCloud "breach" made TV news bulletins last week, which is no surprise given that it centred around the leaking of naked female celebrity photos.

It was also no big wow that Apple quickly responded to such a major reputational shafting by insisting it takes security very seriously (yada yada yada), and had not been 'hacked' and will take steps to ramp up account protection in future.

That ramping up will include, as IT Pro reported at the end of last week, email and push notifications when password changes are attempted and if iCloud data restoration to a new device is requested, as well as when someone attempts to log in from a previously unknown device.

In an ideal world you'd be able to inject employees with a drug to prevent them from acting like idiots, or at the very least exert complete control over the devices and services they use.

Advertisement
Advertisement - Article continues below

Some, including myself, would argue Apple should be doing this already. It's pretty much right there in the first chapter of Cloud Security for Complete Newbies, after all.

Flick to chapter two of this virtual tome and the heading would probably be something like 'Use Two-Factor Authentication' which, funnily enough, Apple also says it will be encouraging more people to do now.

Before the fanboys start sharpening their pen protectors in readiness for attack, I had better add that this isn't an attack on Apple; it's an attack on pathetic security measures.

The iCloud hack was as much to do with the usual lack of security awareness on the part of users as it was a lack of security understanding by Apple, which allowed hackers using the iBrute tool to repeatedly submit potential passwords to Apple's Find My iPhone service login page without locking them out.

But what lessons can the enterprise learn from this? That's simple:

1. No organisation is too big to get it wrong, and everyone has to keep their eye on the ball. Unfortunately, users are mostly blind and didn't even know there *was* a ball.

2. iCloud may well impact your security even if you don't take naked photos of the CEO with an iPhone.

Roll both of these lessons into one and out spits the little insecure nugget that the iCloud keychain will happily store login credentials, synced across Apple devices, in the iCloud.

That users can opt to backup that keychain data locally, but tend to take the easiest route and just leave it in the cloud with just a password and pin for protection, is another incident waiting to happen.

It's back to the eyes thing, use them and ensure that data is not being stored in iCloud that you do not want to be there; and that the data which is stored in the cloud is properly encrypted and protected.

Advertisement
Advertisement - Article continues below

In an ideal world you'd be able to inject employees with a drug to prevent them from acting like idiots, or at the very least exert complete control over the devices and services they use.

As neither are likely in the real world, then a combination of policy, awareness training and multi-factor authentication will have to do. Oh, and never forget that it's all about the data at the end of the day, so ensure the data which really matters is at the heart of your security policy and things become a lot more straightforward.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/business-strategy/33311/apple-launches-new-tv-gaming-and-finance-services
Business strategy

Apple launches new TV, gaming and finance services

25 Mar 2019
Visit/hardware/33929/jony-ive-a-retrospective
Hardware

Jony Ive: A retrospective

29 Nov 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/hardware/34606/apple-ipad-102in-2019-review-the-ipad-grows-up
Hardware

Apple iPad 10.2in (2019) review: The iPad grows up

10 Oct 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019