12 Replies Latest reply: Jan 27, 2012 5:16 PM by Ashish of Boston
saxtell Level 1 Level 1 (0 points)

Our company is a Healthcare organization; as a result, we have stringent legal requirements over the control of data flow/information in and out of the enterprise.

 

The new iCloud service is alarming since it essentially means that corporate data is flowing away from devices on which we can control via security protocols. Our corporate e-mail solution is IBM Lotus Domino; we currently offer push e-mail via Notes Traveler/ActiveSync.

 

The problem is that, according to IBM, there is no current way to enforce a restriction on iCloud syncing for any device connected to our corporate e-mail network. As a result, there is potentially sensitive data that we are legally responsible for controlling flowing out of our control.

 

We know you can turn iCloud synchronization off at a device level. The problem is that we cannot rely on users to do this; all it takes is one user to leave the service turned on, and we are in trouble. We need a method to turn the iCloud service off and ENFORCE it into a disabled state a long as our mail resides on the device.

 

Does anyone have any feedback on this? Is there an Enterprise contact e-mail account that I could forward this serious concern through to?

 

If we can't get a fix issued for this, we may have to simply block all iOS devices from accessing our service; this would obviously encourage our user base to purchase a different OS entirely, which clearly isn't beneficial for Apple's future business.


iOS 5
  • gyrhead Level 3 Level 3 (785 points)

    Well, if your user base moves to Android you will have even less control.  At this point it looks like iCloud only supports Outlook 2007 and later so you might not even have an issue yet.

  • saxtell Level 1 Level 1 (0 points)

    I'm not sure why you think we'll have less control on Android. We already have Droid devices connected, and they do just fine. The problem here is iCloud, not the security capabilities of any of the non-Blackberry OSes.

     

    Here is an article which outlines just a few of the concerns:

     

    http://www.mobileindustryreview.com/2011/10/will-enterprises-embrace-or-restrict -icloud.html

  • diwakarhp Level 1 Level 1 (0 points)

    This is a huge problem for any organization that wants to prevent data leakage to public clouds. Take a look at www.copiun.com, they essentially have built an iCloud/Dropbox for the Enterprise, ensuring that all data stays INSIDE the corporate network, but allows access from iPad/iPhone/etc.

  • gyrhead Level 3 Level 3 (785 points)

    Good luck with on-device encryption and remote wipe with the various flavors of Android.

    Good luck connecting Android to a PEAP-secured Wi-Fi network. Good luck keeping rogue data stealing apps off your employee owned Droids ( or even corporate owned for that matter).  What if your CEO gets a Kindle Fire and starts using that for his email, etc.. that information is being synched to Amazons cloud?   It is not just iCloud folks, it is the consumerization if IT and the blending of work and home devices that is the big challenge here.

  • rccharles Level 5 Level 5 (6,485 points)

    The problem is that, according to IBM, there is no current way to enforce a restriction on iCloud syncing for any device connected to our corporate e-mail network. As a result, there is potentially sensitive data that we are legally responsible for controlling flowing out of our control.

     

    I may be missing something here, but...  How is it not possible to block iClould traffic thru your network?

     

    Cannot you turn on your firewall to block iClold?  You could block what ever ports iCloud uses to sync or send email.

     

    Won't this work?

     

    use the iPhone configration utility to set up parental controls etc.

     

    I worked for IBM.  I'm not impressed with an answer from IBM. I know computer speak.  There is an expression, 100 percent correct answer but totally meaningless answer.

     

    You'll sort this out when some exec want to user an iPad.

     

    Robert

  • gyrhead Level 3 Level 3 (785 points)

    Control depends on the organization culture, its policies and their enforcement, and who owns the devices and networks  that the data is allowed onto.  If a company is allowing users to bring in their own devices to access company data or allowing them to access personal networks with  corporate devices firewall rules  and simple controls will not work.  For example, if someone is connecting to a cellular 3G provider with their own plan they will be able to synch with iCloud no matter what the corporate firewall says.  If you are in health care or finance you should be using a third party security provider for MDM because the built in tools and apple provided resources aren' t going to do the job.

  • saxtell Level 1 Level 1 (0 points)

    Gyrhead: device level encryption and remote wipe works fine on the various droid platforms. We've tested it. It works. It is 100% enforceable, and the controls to do this exist. From your comments it seems likely that you haven't worked with Traveler, but I assure you that compliant droids completely meet our needs. Non-compliant droids are automatically blocked from accessing the server.

     

    I can't comment on your Wi-Fi portion since I haven't had any personal experience with PEAP networks, but honestly, in this context, that's not really something I care about. Someone NOT being able to connect to a network won't potentially land us with a fine and/or prison sentence.

     

    On Amazon's cloud offerings with Kindle Fire, that's just as much of a problem in theory. The reality, however, is we don't have a single Kindle Fire connected to our network at this point, whereas we DO have a significant number of iOS devices - all of which are potentially able to move our data off premises. You're correct when you say there is more going on here than just iCloud, but I'm not going to look for a solution to Kindle Fire related problems on a board talking about Apple products in the Enterprise. If another line of products doesn't measure up to what we need, we will take the same action with those. It's that simple. And if the only action we can take is to entirely block a line of products from our corporate servers, then that is what we will have to do.

     

    This isn't a measure of bias, it's a simple matter of legal obligation and compliance.

     

    Rccharles: we could block users from contacting iCloud while they are inside our network, but the moment they move to 3G, 4G or a non-company owned wireless network, the sync will happen. It's absolutely impossible to stop someone connecting their device to the iCloud via someone else's network. For us to be able to do what we need, we have to be able to turn the service off (and prevent it from being turned back on) at a device level.

  • gyrhead Level 3 Level 3 (785 points)

      We do use Lotus Notes and Traveler, and I am basing my comments on some of the Droids our users are bringing in - they are not all compliant and I am glad that you can block them.  I am sure that there will be a lot more movement in this space in the near future as entities with strong data protection needs will have the same issues that you are experiencing.  There will be third party products available for this ( and may be already) within a month, if not sooner.  If you can afford the solution it will be there.  I was only using the kindle fire as a metaphor for the consumer device in the corporation - today its iCloud, tomorrow it will be something else.  Data security is a constant battle with evolving fronts and spies behind the lines.  Good luck.

  • Bonesaw1962 Level 4 Level 4 (1,255 points)

    I'm in health care with a major organization, as well, and we've had some pretty serious talks with Apple.  We've found 1) that email sync only applies to a me.com account or other  setup through Apple.  Exchange or Server based email is not synced. 2) only LOCAL contacts and calendar are synced, not corporate server based items.  Photostream or what I will call "document stream" could be an issue but if people dont' share iTunes accounts with family members or others, these items couldn't be transferred to someone elses device..it's all based upon the AppleID used to connect to iCloud.  Apple has assured us that they are encrypting any data stored on the back end with them, and policy exists through IPCU to turn off photo stream ( in case say, a clinician takes a picture of a patient wound or something) and document stream.  As we understand backup, it backs up device settings etc but does not backup physical music or apps these can be re-downloaded from the applicable store.  Wi-fi settings and credentials are backed up, but again, this is encrypted.  One helpful article on use of Apple ID's for iCloud and iTunes is the following:

    http://support.apple.com/kb/ht4895

    and articles on storaqge with linlks to articles on what is backed up

    http://support.apple.com/kb/HT4847

     

    Just thought I'd throw the above ideas and comments in the mix. 

  • johnnyfromwalker Level 1 Level 1 (0 points)

    Not sure how you tested but you can choose which account to sync to icloud and can certainly choose the corporate one.  The links you posted even state as much. 

  • Rustem Level 1 Level 1 (0 points)

    This is an interesting thought, and it might explain why my iCloud doesn't sync while I'm on our corporate network (we are a service oil company) and those of some of our clients. Neither my Mac nor the iOS devices sync.

     

    This is an impression I got from reading some tech news I wouldn't be able to quote, but it looks like Apple will basically start paying more attention to corporate market. I hope this will address the issue, but it would also require some commitment from the corporations, in that they recognise they need to invest in IT time to manage the devices.

     

    I have my doubts that my employer will be the first to do that. *sigh*

  • Ashish of Boston Level 1 Level 1 (20 points)

    First things first.

    You need to get your iOS devices registered with an MDM server.

    This will allow you to push policies down to the device that can block iCloud doc sync, photo sync, keyvalue sync.

    You cannot block iMessage, that is a core product feature.

     

    Activesync email is not synced to iCloud as it is considered under "Content Protection". A magic bit that tells the OS not to backup that stuff.

     

    Keep in mind apps have to be written to take advantage of iCloud (use new sync apis)

    Things don't just sync by default. Keynote is example.

     

    iCloud sync goes to icloud.com, if your web proxies block it, it will block all access.

     

    Regards,

    Ashish