Is Apple's iCloud folder sharing a shadow IT problem?

Credit to Author: Jonny Evans| Date: Thu, 06 Feb 2020 06:35:00 -0800

After a long delay, Apple is preparing to introduce iCloud Folder Sharing across both its Mac and iOS platforms. This is a big blessing for collaboration, but is it safe?

iCloud Folder Sharing was first announced at WWDC 2019, but delayed until – well, at present it is still delayed and was only recently made available inside the latest iOS and macOS developer betas. Which means it should be on the way.

Probably.

How it works?

It works in a similar way to iCloud file sharing, except you can define shared folders as well as shared files.

In use, you can choose to make it possible to share a folder with anyone who has a specific link or choose to limit access solely to named parties. You also get to choose if people you share items with can edit them, or just take a look.

It is reasonable to assume these items/folders will also be available to those using iCloud for Windows. Mobile device support on other platforms was also recently improved.

A little bit.

In theory, iCloud Folder Sharing means Apple now offers a relatively cross-platform tool with which teams can share and collaborate on projects – though it isn’t as smooth, feature-rich or as cross platform compatible as Dropbox or Box.

The thing is, with tens of millions of iPhone and Mac users in place across the enterprise market, it seems pretty clear that most of your employees are likely already using iCloud.

The new feature just makes it more likely they’ll use it more, including to collaborate on projects. After all, one of the huge benefits of the service is that it’s as easy to use as anything else Apple does – and ease-of-use is one of the big drivers for Shadow IT.

 And that is where iCloud may become a bigger problem for enterprise security chiefs trying to handle the challenge of unauthorized use of apps by their mobile employees.

It is of course true to say that iCloud is a relatively secure system.

Not only are Macs and iOS devices way more secure than any other platform (though no platform is perfect), but iCloud’s two-factor authentication (2FA), deep platform integration, and the nature of the encryption that protects information as it is transmitted to and from the service all provide good protection.

The problem with iCloud is (and always is) the user:

While it is possible to protect your iCloud with complex alpha-numeric passcodes, most people just don’t. Indeed, I can recall reading a recent report that claims around a third of iCloud users still haven’t enabled 2FA on their systems.

That’s up to them, I guess, but when a highly secure iCloud user with complex passcodes and 2FA enabled chooses to share highly confidential enterprise-related documents inside a folder with another user, how are they to know how well secured that other user’s iCloud access actually is?

They don’t.

And this is a problem enterprise security teams will need to address pretty quickly now we know iCloud Folder Sharing is coming.

I’m certain some enterprises may ban use of iCloud, just as many already attempt ban use of any consumer-grade cloud-based document services, but I don’t think bans work – they just create a blame culture in which employees become reluctant to seek help when things go wrong.

It seems much more sensible to assume these things will be used, and take steps to manage such use, than to issue terse memos banning use of services you as the head of department are probably also making use of yourself.

What does work is policy.

In this case, it seems sensible for enterprise security chiefs to advise employees who choose to use iCloud for work to protect their account with complex alphanumeric passcodes.

That’s not the only protection that needs to be put in place.

Employees must be encouraged to use 2FA and to keep their devices up-to-date (unless controlled by you with an MDM solution.

This is why. Apple’s iCloud security pages tell us:

“iCloud secures your information by encrypting it when it’s in transit, storing it in iCloud in an encrypted format, and using secure tokens for authentication. For certain sensitive information, Apple uses end-to-end encryption. This means that only you can access your information, and only on devices where you’re signed into iCloud. No one else, not even Apple, can access end-to-end encrypted information.”

Thing is, and this is important, in order for end-to-end encryption to work it is necessary that two-factor authentication is turned on for the Apple ID.

The difference between how Apple protects your information in iCloud and on your device is encryption. iCloud Drive data is protected by “a minimum of 128-bit AES encryption,” according to Apple.

That’s quite strong I suppose, but may not be as secure as what you define in your security policy – and it is important to note that data stored in the drive is not protected by end-to-end encryption while there, though it is encrypted in transit.

If you want data to be kept securely in your or your employee’s drives, it makes sense to encrypt that information before uploading it.

While this adds friction to the sharing/collaboration process it also means your enterprise’s confidential data (or your personal info) has better protection.

(I’ll be looking at good encryption solutions for this task in the next few weeks, so do follow me on social media to learn what I find out.)

You can also deploy MDM solutions to control iCloud and data access across your network. Though the best protection will always be to offer approved secure collaboration spaces that are as easy-to-use as iCloud or any other consumer service.

Even with all the protection in place – policy, approved collaboration tools, even edge device security, the inconvenient truth is that data will slip, employees with poorly-protected consumer services such as iCloud will use those services, and security problems will emerge.

That’s why it’s so important to ensure everyone at your organization feels sufficiently safeguarded that in the event something does go wrong they’ll not waste time before letting IT security know a problem exists. Because not knowing a problem exists is usually a bigger problem than the problem itself.

Summing up: Employees will use iCloud Drive, they already do and now they’ll use it to collaborate on some tasks. They should be encouraged to:

I’ll be interested to hear any other good advice on this matter.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss