An October 10, 2011 Network World article titled “Beware of the iCloud” described an enterprise nightmare scenario around Apple’s newly introduced cloud storage service:
“You’re at your office Mac, working on a sensitive company document. There’s a copy of the document automatically pushed to your iPad, which a family member borrowed and took to Starbucks. There’s a copy on your home MacBook, which your teenager is using. And there’s a copy on your iPhone … which you just left in a cab.”
The key questions raised in the article are whether Apple plans to deliver a secure experience, and what enterprises need to do to protect sensitive corporate data. While iCloud may be an iPad and iPhone lover’s dream, it’s an IT security professional’s nightmare, as described by Apple: “iCloud stores your music, photos, apps, calendars, documents and more. And wirelessly pushes them to all your devices – automatically. It’s the easiest way to manage your content. Because you don’t have to.”
What this means for enterprises: iCloud users could potentially upload sensitive corporate data, which could then be spread to devices that do not have corporate security protocols. While this risk exists in just about any cloud solution, iCloud’s ability to automatically push out data to multiple devices raises risk concerns to new levels.
Businesses that are legally responsible for securing sensitive data are most affected: financial services, financial institutions, healthcare providers and the legal industry.
Other cloud-based storage vendors – such as Dropbox, Box.net, and Mozy – don’t come close to Apple’s iCloud functionality, except for Amazon’s Cloud Drive. The key difference is that iCloud will be very tightly integrated with both Apple devices and third-party applications. Users won’t have to connect their iPhones or iPads to a computer to back up their devices. Synching will be automatic, wireless, and in the background.
Model Metrics’ Jim Prothe recommends that companies review their mobile device policies and find out how many iOS devices are being used for business purposes. “If the devices are owned by the company, employees can be required to use strong passwords that expire regularly, implement remote wipe for lost devices, and encrypt data stored on the device. If it’s a personal device, it’s up to IT to limit how much access the device has to network resources.”
A number of vendors offer tools that can help isolate company information on mobile devices, remotely wipe the company data when employees leave, and ensure that information stays safe and secure. One of them, Morphlabs, is an all-Mac company where iOS devices are common. CEO Winston Damarillo said, “Part of our policy for data retention and security is to require people never to sync up their data to iDisk or iCloud or DropBox. They can only sync up via Box.net, which I manage centrally. We say, if you use documents that belong to the enterprise for work purposes, they go through Box.net. I wouldn’t advise any company to use iCloud for enterprise content. It’s not designed for that.”
Box.net is working on further improving security, says co-founder and CEO Aaron Levie. “iCloud doesn’t have access to the data stored in our Box app on iOS. We will also be working with mobile device management vendors to ensure security policies are consistent between the enterprise and the Box app, as well as offering services in the Box Enterprise edition to ensure end to end management of content on any mobile device.”
Dayvia Nelson, marketing manager at Cloudworks, a provider of virtual desktop software, is an iCloud fan. But when it comes to business apps, Nelson uses her own company’s tools to access corporate documents via a virtual desktop. With Cloudworks, applications are logically segregated from other companies’ data. And Cloudworks uses enterprise-grade security, including SAS 70, PCI and Sarbanes-Oxley compliance. One customer uses it for medical documents that require HIPAA compliance, and the Cloudworks data center has gone through that audit process as well.
Corporate data or documents are never stored on the mobile device, says Nelson. “All the information is stored in our environment. If a person leaves, they disable the account.” As a result, when her iPhone or iPad is backed up to the iCloud, only personal files are touched.
The American Bar Association is doing a study (due out in 2012) to determine whether a law firm is adequately protecting a client’s data when it’s in the cloud. They are expected to state that “attorneys need to understand what protections are in place.”
One of the key additions made available thanks to cloud computing is Software as a Service (SaaS). Rather than installing software on your computer or the firm’s server, SaaS is accessed via a Web browser over the Internet. Data is stored in the vendor’s data center rather than on the firm’s computers. Upgrades and updates are rolled out continuously and, perhaps most importantly, SaaS is usually sold on a subscription model, meaning that users pay a monthly fee rather than purchasing a license up front.
Some questions for firms to consider in relation to ethics & security with SaaS:
- How does the vendor safeguard the privacy/confidentiality of stored data?
- How often is the user’s data backed up, and in how many different geographic locations to safeguard against natural disaster?
- What’s the vendor’s history? Where do they derive their funding? How stable are they financially?
- Can you get your data “off” their servers for your own offline use/backup? If you decide to cancel your subscription to the software, who owns the data? Is data supplied in a non-proprietary format that is compatible with other software?
- Does the vendor’s Terms of Service or Service Level Agreement address confidentiality and security? If not, would the vendor be willing to sign a confidentiality agreement in keeping with your professional responsibilities?
The New York State Bar Association, in tackling ethics of cloud computing, suggested law firms will want to address these issues with cloud computing vendors:
Data Backup and Storage
Security, Confidentiality and Privacy
The American Bar Association (ABA) has noted that cloud computing raises several specific issues and possible concerns relating to the potential theft, loss, or disclosure of confidential information. They include:
- unauthorized access to confidential client information
- whether information is stored on servers in countries with fewer legal protections
- a vendor’s failure to back up data adequately
- unclear policies regarding ownership of stored data
- the ability to access the data after terminating a relationship with the cloud computing provider or if the provider goes out of business
- the provider’s procedures for responding to government requests for information access
- policies for notifying customers of security breaches
- policies for data destruction, or transferring the data if a client switches law firms
- data encryption
- how lawyers will obtain client consent before using cloud computing services to store or transmit confidential information
The bottom line: lawyers need to be aware of technological changes both in the management of their offices as well as in providing of services to the public. Ever lawyer ultimately has a responsibility to understand the technology they use.
Before you move data into the cloud, look carefully at SLA, Governance and Security. Any firm that handles sensitive or confidential data will need to be trained and well-versed on all three of these areas so they can answer clients’ questions and concerns about how they are safeguarding data.