As the hobbit Frodo Baggins leaves the familiar surroundings of his home in the Shire in the movie The Fellowship of the Ring, he remembers something his uncle Bilbo told him, “It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.”
Frodo learns those risks when he ventures out into Middle Earth to destroy the one ring. Similarly, IT pros learn the risks of data backup when information leaves iOS devices to go to Apple’s iCloud storage and backup service.
Like the peaceful Shire, iOS devices can be safe havens with data protection and security features such as TouchID, per-app VPN and more. IT departments especially like iOS’ encryption. It uses the Advanced Encryption Standard, and the only way to unscramble the data is with the user’s password. Even if a hacker breaks into the device, the information remains encrypted. Brute force attacks are not practical because iOS disables the device after too many failed password attempts.
Apple iCloud, on the other hand, is like the rest of Middle Earth. If an employee’s personally-owned device automatically backs up data to the iCloud, it’s no longer only stored locally. Apple controls security over its iCloud servers, so it’s difficult for IT to keep a watchful eye over any corporate data backed up to the cloud. Traditional security methods from IT, such as using a firewall to monitor traffic, do not always translate to the cloud. Plus, cloud backup creates a second location where a file exists, so there are multiple places hackers can steal information from.
After a major iCloud leak in August 2014, however, Apple added new features to better secure the iCloud — just like Frodo is joined by a fellowship of warriors to protect him. Two-factor authentication requires users to verify their identities on a second known device if they change their account information, make iTunes purchases or take other actions on a new device. Apple sends the user a text message or email alert with a verification code to provide access. Still, hackers can take advantage of a small window of time between when they access iCloud data and when Apple rings the alarm.
To protect data even more, iCloud now encrypts information when it is in transit and when it’s stored on the server. The only way to unencrypt data is with a secure authentication token, which comes in the form of a password. Some iCloud-based apps such as Find My iPhone also have security measures built-in. That app is off by default, so the user has to activate it. Plus, it only collects location information when a user asks for it, data remains on the iCloud server for only one day, and it is fully encrypted.
The iCloud is more locked down than ever, but it is still a much more fluid environment than a physical device. Once data walks out the door of an iOS device, like Frodo leaving the Shire, it’s hard to know where it might end up.