Quote of the week: Security and privacy issues of iCloud servers
Costin G. Raiu, Director of the Global Research and Analysis Team of Kaspersky Lab:
“With Apple releasing iCloud for developers, the battle for domination in the market of cloud-centric OSes is finally breaking out. The real key point here is of course iOS5 – the new Apple operating system that will take full advantage of clouds. This indicates that Apple is moving in exactly the same direction as Google and Microsoft by designing and planning to deploy an operating system that is fully integrated with the cloud. This is further confirmed by Steve Jobs' statement regarding Apple’s long-held interest in the creation of an operating system that doesn't rely on local file system storage.
Interestingly, Apple has chosen a different path from Google here: while Google – with ChromeOS – is trying to push users into using their cloud storage, iCloud is presented as an added feature, which can be purchased separately from the hardware.
So, what does this mean from a security point of view? Basically, we are talking about the same class of risks as ChromeOS – all your digital content might be available to anyone who knows your password. I believe it's completely reckless nowadays to provide such a service without two factor authentication, which makes it prone to basic data theft techniques.
Of course, even if security is indeed improved through multi-factor authentication methods, we are still faced with the issue that all the data is available on the cloud, in one place. Just as Sony recently learned, the cloud is not always impenetrable - on the contrary, its fundamental nature makes it an interesting target for cybercriminals, and no doubt it will continue to be a focus for them.
In a hypothetical case when both the cloud and client devices are 99.99% secure, we still have another vulnerable layer - the network which will communicate, send, receive and authenticate customers. From this point of view we may face a new growth of attacks on the network layer – when user information can be intercepted, faked, denied and distorted. Therefore, we might see new and more sophisticated attacks on the network layer side”.