Wearables Authors: Pat Romanski, Liz McMillan, Yeshim Deniz, Jnan Dash, Roger Strukhoff

Related Topics: @CloudExpo, Agile Computing, Wearables, Cloud Security

@CloudExpo: Article

In Apple’s iCloud, One Key to Rule Them All

Apple maintains complete control over the master encryption key to their marquee cloud offering

Earlier this month it became widely publicized that Apple maintains complete control over the master encryption key to their marquee cloud offering, iCloud. Now, to anyone familiar with security and encryption this should come as no surprise. In order for nearly all consumer cloud services to provide anywhere access to data the provider must be able to encrypt and decrypt data on the fly. But it brings up the bigger question of, who should I trust with my data?

The consumer cloud
Apple iPad and iPhone Charging - Copyright 2010 Louis AbateTo even begin to answer that question, we need to first look at what types of data are being stored inside Apple’s iCloud. For our purposes, we’ll break the data into two sets: general media files and personal files. The first group consists of music, movies, books, and mobile apps – not exactly what you’d call sensitive data. If a third-party were to gain access to your music library, it wouldn’t be the end of the world. The second group, however, is made up of much more personal documents, including notes, calendar events, mail, contacts, and user settings. This is personal information, there’s no question about it, but would a hacker or rogue Apple employee really go through the effort to read your email, text messages, and photos? Maybe if you are Scarlett Johansson – but that’s a different story…

In the end, the consumer cloud means trusting a vendor, in this case, Apple. As a user, you trust them to do the right thing in terms of how they handle security and encryption, both in terms of technology and internal policies. Again, the issue here is trust. You have no control over the encryption key, therefore the possibility of your data being compromised by a malicious hacker or Apple employee is always present. The ultimate question is, are you willing to hand over this trust in return for the convenience of being able to sync your photos, messages, and music across your laptop, phone, and tablet? I believe, and history would suggest, most users are.

The enterprise cannot rely on trust
When it comes to the enterprise it’s a different story. Controlling access to data and protecting it from malicious hackers, competitors, ex-employees, etc. is a top priority for IT. For the traditional storage infrastructure, this means all the hardware sits inside the four walls of the organization. Servers are locked inside racks, which are locked inside a server room. Policies are administered with an access control system and IT has tight control over all aspects of data storage as well as the corporate network.

When moving data outside those “four walls” this all changes. Data is no longer inside that locked server room, but scattered across multiple data centers located in multiple geographies. Personal email and photos are one thing – sensitive corporate IP is another. Security and encryption must be done right:

  1. The security and encryption system must be proven. OpenPGP comes to mind here. It’s open to the degree that it is peer reviewed and with that comes a rock solid encryption scheme trusted with the most sensitive data out there.
  2. IT generates and holds the crypto keys – if the encryption happens before the data leaves for the cloud and the storage vendor doesn’t have a copy of the keys, there is no way anyone can read the encrypted data.
  3. There is an acceptable level of redundancy within the cloud (or clouds) the data is stored on. This has more to do with data protection than security, but lost data can, in some circumstances, be even more damaging than hacked data. Amazon’s eleven-nine’s is a good example of this.

IT is not (and should not) be willing to trust a storage vendor or cloud storage provider with access to their data. When it comes to enterprise data – there is simply too much at stake. Nasuni’s Rob Mason said it best in the following statement: "We trust our employees, but we do not ask our customers to share that trust. This is good security practice. No strong encryption scheme should rely solely on trust."

Do you trust Apple with your personal data? Would you trust a storage vendor to hold the keys to your corporate data? Sound off in the comments below.

More Stories By Louis Abate

Louis is a connoisseur of technology, photography and music. As a passionate tastemaker, he is on a lifelong mission to seek out and evangelize best of breed products and services.

At Nasuni, he heads up the multimedia content creation and social aspects of the company. With one eye on the constant flow of industry news and the other on Nasuni’s services, you’ll find Louis writing about the evolving storage industry and general musings about high technology in the modern office.

IoT & Smart Cities Stories
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...