Concerns over corporate data syncing with iCloud

Well, if your user base moves to Android you will have even less control. At this point it looks like iCloud only supports Outlook 2007 and later so you might not even have an issue yet.

This is a huge problem for any organization that wants to prevent data leakage to public clouds. Take a look at www.copiun.com, they essentially have built an iCloud/Dropbox for the Enterprise, ensuring that all data stays INSIDE the corporate network, but allows access from iPad/iPhone/etc.

Good luck with on-device encryption and remote wipe with the various flavors of Android.

Good luck connecting Android to a PEAP-secured Wi-Fi network. Good luck keeping rogue data stealing apps off your employee owned Droids ( or even corporate owned for that matter). What if your CEO gets a Kindle Fire and starts using that for his email, etc.. that information is being synched to Amazons cloud? It is not just iCloud folks, it is the consumerization if IT and the blending of work and home devices that is the big challenge here.

The problem is that, according to IBM, there is no current way to enforce a restriction on iCloud syncing for any device connected to our corporate e-mail network. As a result, there is potentially sensitive data that we are legally responsible for controlling flowing out of our control.

I may be missing something here, but... How is it not possible to block iClould traffic thru your network?

Cannot you turn on your firewall to block iClold? You could block what ever ports iCloud uses to sync or send email.

Won't this work?

use the iPhone configration utility to set up parental controls etc.

I worked for IBM. I'm not impressed with an answer from IBM. I know computer speak. There is an expression, 100 percent correct answer but totally meaningless answer.

You'll sort this out when some exec want to user an iPad.

Robert

Control depends on the organization culture, its policies and their enforcement, and who owns the devices and networks that the data is allowed onto. If a company is allowing users to bring in their own devices to access company data or allowing them to access personal networks with corporate devices firewall rules and simple controls will not work. For example, if someone is connecting to a cellular 3G provider with their own plan they will be able to synch with iCloud no matter what the corporate firewall says. If you are in health care or finance you should be using a third party security provider for MDM because the built in tools and apple provided resources aren' t going to do the job.

We do use Lotus Notes and Traveler, and I am basing my comments on some of the Droids our users are bringing in - they are not all compliant and I am glad that you can block them. I am sure that there will be a lot more movement in this space in the near future as entities with strong data protection needs will have the same issues that you are experiencing. There will be third party products available for this ( and may be already) within a month, if not sooner. If you can afford the solution it will be there. I was only using the kindle fire as a metaphor for the consumer device in the corporation - today its iCloud, tomorrow it will be something else. Data security is a constant battle with evolving fronts and spies behind the lines. Good luck.

I'm in health care with a major organization, as well, and we've had some pretty serious talks with Apple. We've found 1) that email sync only applies to a me.com account or other setup through Apple. Exchange or Server based email is not synced. 2) only LOCAL contacts and calendar are synced, not corporate server based items. Photostream or what I will call "document stream" could be an issue but if people dont' share iTunes accounts with family members or others, these items couldn't be transferred to someone elses device..it's all based upon the AppleID used to connect to iCloud. Apple has assured us that they are encrypting any data stored on the back end with them, and policy exists through IPCU to turn off photo stream ( in case say, a clinician takes a picture of a patient wound or something) and document stream. As we understand backup, it backs up device settings etc but does not backup physical music or apps these can be re-downloaded from the applicable store. Wi-fi settings and credentials are backed up, but again, this is encrypted. One helpful article on use of Apple ID's for iCloud and iTunes is the following:

http://support.apple.com/kb/ht4895

and articles on storaqge with linlks to articles on what is backed up

http://support.apple.com/kb/HT4847

Just thought I'd throw the above ideas and comments in the mix.

Not sure how you tested but you can choose which account to sync to icloud and can certainly choose the corporate one. The links you posted even state as much.

This is an interesting thought, and it might explain why my iCloud doesn't sync while I'm on our corporate network (we are a service oil company) and those of some of our clients. Neither my Mac nor the iOS devices sync.

This is an impression I got from reading some tech news I wouldn't be able to quote, but it looks like Apple will basically start paying more attention to corporate market. I hope this will address the issue, but it would also require some commitment from the corporations, in that they recognise they need to invest in IT time to manage the devices.

I have my doubts that my employer will be the first to do that. *sigh*

First things first.

You need to get your iOS devices registered with an MDM server.

This will allow you to push policies down to the device that can block iCloud doc sync, photo sync, keyvalue sync.

You cannot block iMessage, that is a core product feature.

Activesync email is not synced to iCloud as it is considered under "Content Protection". A magic bit that tells the OS not to backup that stuff.

Keep in mind apps have to be written to take advantage of iCloud (use new sync apis)

Things don't just sync by default. Keynote is example.

iCloud sync goes to icloud.com, if your web proxies block it, it will block all access.

Regards,

Ashish