Apple Gets Serious About iOS Data Protection

At the risk of sounding like a broken record to those who have been following my columns, with mobile devices gaining parity with PCs in the pantheon of enterprise information tools, users and IT must come to grips with the snippets of sensitive data they are rapidly accumulating. Besides the usual security "hygiene" advice everyone should be tired of hearing (but I can't resist repeating: use a screen lock, the longer the password the better, use a tracking and remote-wipe service to erase data on lost or stolen devices, use a VPN on public Wi-Fi networks), some users have also recognized the need to back up their smartphone and tablet data.

As noted a couple weeks ago, several vendors have stepped into the backup software void. But at last week's Apple Worldwide Developers Conference, the 800-pound gorilla just undercut the market for many of them with iCloud.

Wireless portability, relatively limited local storage, and the nomadic nature of tablets and smartphones would seem to make the cloud an ideal mechanism for mirroring their contents. So thought Apple, as evidenced by an iCloud feature set that far exceeds rumors that ricocheted around the blogosphere. If you own or support iPhones and iPads, iCloud has you covered come fall, when the service and its enabling iOS upgrade are released.

Apple went all in with iCloud, which many expected would be little more than a music streaming and archiving service. Instead, iCloud will be a one-stop content, document, application, and configuration synchronization service for both mobile devices and PCs (although Windows users won't gain much more than document and calendar sharing).

Essentially, Apple designed iCloud to replicate the "personality" of an iPhone, iPad, and even Mac, and automatically push that personality out to every other device in a user's Apple ecosystem. Thus, iCloud can work as a backup/disaster recovery tool, as long as you trust Apple with your data. Restoring an iPhone or personalizing a new device is merely a matter of wirelessly logging in to an iTunes account and letting iCloud do the rest--personal data, purchased music (not burned, although that's a $25 add-on option), apps, books, and settings will automatically reappear.

While iCloud seems to solve the backup problems for iPhone/iPad users, Apple's announcement still leaves many questions: How might enterprise IT tap into and manage iCloud data for devices it manages? Will there be tools for central command and control? What security technologies and processes will iCloud incorporate? What about non-Apple applications; how soon will they support iCloud? What does iCloud mean for cloud file-sharing services such as Dropbox and SugarSync or for the iOS backup market writ large?

Apple's iCloud initiative has validated the need for a comprehensive (including all user-specific device data), transparent (requiring as little end-user configuration and management as possible), and cross-platform (recognizing that people generate information on many devices and need a "single version of the truth") backup system. ICloud seems to fit the bill for the Apple ecosystem and will likely set the standard for comparable cloud-based services targeting Android, Windows Mobile, and other mobile devices.

Yet Apple realizes that keeping data on the device itself from falling into the wrong hands is still an imperfectly solved problem, as evidenced by a new patent application describing potential new features in iOS local security policies and Apple's "Find My iPhone" service. The document describes enhancements to the standard PIN/passcode screen lock that could progressively increase device security after a number of failed login attempts (indicating that either the device is in the hands of a thief or the owner is very inebriated).

Currently, iOS only offers the nuclear option--a device can be configured to locally wipe all data after 10 failed login attempts. However, using this new technology, after, say, five attempts, an iPhone or iPad might selectively encrypt certain data such as contacts, notes, or locally cached email. Continued failure to guess the right passcode could prompt the device to functionally degrade by disabling outbound phone calls, text messages, or data service and enter a "surveillance mode" in which it surreptitiously records audio, video, and location to an online service like Find My iPhone.

Such dynamic adjustment of mobile device security parameters in response to suspicious activities or usage is a beautifully ingenious and promising new approach to enhancing data protection, providing users with greater control over a device's autonomous defenses while offering powerful new tools for thwarting and capturing thieves. As smartphones and tablets assume even greater roles in our online existence (eventually even replacing our wallets and credit cards), look for Apple and others to embed even more sophisticated, multilayered security systems.