"Hey, You, Get Off of iCloud!"
Many apps and cloud-based services share data between users and between devices, and these services give security pros fits. iCloud will make these things happen automatically, and potentially without the intent or even awareness of the end-user.
For all its hype iCloud does not represent a fundamentally new problem. Employees are already bringing personal devices to work and wanting to use them in their jobs, and these unmanaged devices are mixing personal and corporate data on a system that is outside the control of the security and IT teams. There are already many apps and cloud-based services for sharing data between users and between devices (such as Dropbox), and these services are giving security pros fits. What is new is that iCloud will make these things happen automatically, and potentially without the intent or even awareness of the end-user, who is also an employee.
iCloud will throw gasoline not on the fire of consumerization, but on the widespread consumer adoption of cloud services, and this will mean that these devices that are connecting to your corporate network and applications will also be more likely to be simultaneously connected to cloud-based consumer services. Plus, iCloud is only one of many: music services, cloud storage, MMORPGs, social media, location services and others will all be sitting on the other side of that device. These services are fat targets for hackers seeking to mine them for user data that can be resold on the black market to spammers, phishers, governments, and organized crime. With always-on 3G connections, these services could provide a direct path onto a device that is also connected to corporate applications and the WLAN.
How to deal with this? You can’t take the approach that organizations did several years ago to address the risk of laptops bridging VLANs between the Ethernet and wireless NICs: Disabling one interface while another remains connected is not really an option in this scenario. But, just as VLAN bridging was an early use case for situational or location-based policies, so can an intelligent policy capability help address this new problem. For example, configure a policy that disables some apps, blocks connections to certain sites or services, or disables the camera when the user is accessing a virtual desktop designed to provide access to corporate applications and data. Another would be to never allow 3G-wifi bridging when the device is connected to the corporate network. Never! The available technology is still catching up with the use case, but robust situational policies, centrally managed across multiple device platforms, will be critical to determining the apps and features that are able to operate while a personally-owned device is connected to a corporate application or network. Until intelligent policy-based enforcement is available, educate your employees about the risks of these services and which ones they should avoid accessing while they are in work mode.