Is iCloud a security risk?
OS X's reliance on iCloud to store online documents in apps such as the iWork suite or Omni Outliner could be a risk if those documents contain sensitive corporate information. If another Mac or iOS device uses the same iCloud account and isn't protected through encryption or a password, a thief could use that other device to access the files.
"If an employee has very confidential company data and is putting it on their iCloud and on their iPhone, the [need for] data management is expanded," creating a new exposure point, says James Robinson, director of information security at Accuvant, a provider of security services. (This risk is similar to the use of any cloud-storage service, such as Box, Dropbox, Google Drive, or Microsoft OneDrive.)
Exchange ActiveSync policies can enforce the use of encryption and passwords on a Mac or iOS device, and third-party management tools can use an Apple API to disable iCloud on iOS devices. But if a device is not under IT management, those protections can't be enabled or enforced.
The new iCloud Keychain feature in iOS 7 and OS X Mavericks allows Safari to sync passwords and credit card numbers across Macs and iOS devices. Although it uses two-factor authentication, there's a possible risk in using this feature.
As is true with other cloud services, such as Google accounts and Microsoft accounts, a hacker can use a combination of social engineering techniques and spoofing attacks to hijack an iCloud account, gaining access to the users' iCloud data. Many iCloud users share their credentials with iTunes and the Apple Store, so a hijacked iCloud username and password could also be used to purchase items from iTunes and the Apple Store online.
Apple plays it quiet in the security cat-and-mouse game
With security in general, it's often a cat-and-mouse game, where vendors release the latest patches or anti-whatever tools, and researchers figure out a way to bypass them, Foreground Security's Henderson says. Vendors engage with security researchers and white-hat hackers to identify and close off vulnerabilities in an awkward but useful dance — not Apple, though.
"Apple should take the 'help us help you' approach and publicize the fact that it is willing to work with independent security researchers," Henderson advises. "If we look at the increased security features that Microsoft has started to include in its products over the past decade or so, you will see that most of these features are a result of working with security researchers and the general public."
Apple is much less transparent about its security policies than other vendors, says Mike Silver, a distinguished analyst at Gartner. (Apple declined to comment to InfoWorld on Mac security issues.) Plus, "Apple doesn't have specific timelines on how long it will support an OS for, which makes it difficult for organizations that have to certify security."
Should you worry? Yes, but not a lot.
Sign up for Computerworld eNewsletters.