Mobilizing the Enterprise

We’re at WWDC this week and the biggest announcement from Apple was iCloud. iCloud is a free Apple service that ensures your personal data is wirelessly synchronized to the cloud, your iOS devices, PCs, and Macs.

Data automatically going somewhere is a legitimate concern for an enterprise. Lots of questions come to the surface - how is it shared, who has access to it, what controls are there, who is in control, and many more.

The concern for data sharing

Corporations have spent billions storing, securing, archiving, and managing corporate data in systems like Exchange, Oracle, File Servers, SharePoint, EMC Documentum, and IBM FileNet. There are compliance checks and data retention policies on who accesses it and how its shared. IT has controlled how this data gets onto PCs via Outlook and onto devices via email clients and applications like our Moprise for SharePoint iPad application. iCloud introduces some obvious concerns with the automatic propagation of corporate data into Apple’s cloud, onto other devices, and the possible co-mingling of personal & corporate data.

The scope of iCloud

Personal - From the Apple keynote, iCloud is currently designed for synchronizing data across devices linked to a specific Apple ID. This means devices registered by a particular Apple ID will automatically be synchronized. Some families share Apple IDs so that the same music and movies are available to everyone and in these scenarios iCloud data would be synchronized across all devices. To keep your data private, you should not share devices and Apple IDs with others.

Per Application - Each application decides how it uses iCloud synchronization APIs and what data is copied into the cloud. Some (all?) of the Apple supplied applications - the iWork suite was demonstrated during the keynote - utilize iCloud. This means data shared with these applications is subject to synchronization into the cloud. For example, a corporate application that uses “open in” to view a document in Pages, could have the document synchronized into the cloud and onto other devices. We will need clarity on how email configuration and email itself is synchronized to other devices. Corporations may not want Exchange email automatically showing up on rarely used personal devices but it could be useful to easily share the configuration between a frequently used iPhone and iPad.

Per Device Back Up - Today, each time a device is plugged into iTunes, a backup is automatically created of all the state on the device. This should be encrypted if corporate data is stored on the device. But in the future, with iCloud, a backup to the cloud will automatically be created. Is this automatically encrypted? Can this be disabled?

Key Chain - User names and passwords are stored into the key chain for secure access by applications. This useful feature enables onclick login to websites or servers without fear of someone stealing the cached password. But synchronizing this information onto lost or rarely used devices would be a concern.

Configuration Profiles - A corporation may install configuration profiles on a device that control policies, set VPN certificates, and other lock down state on the device. Understanding how this is synchronized to other devices will need to be made more transparent.

What controls are needed?

Corporate Configuration - Any “corporate owned” data and configuration clearly needs independent controls on how it should be propagated into iCloud and synchronized across devices. Enterprise certificates, VPN configuration, and Exchange configuration, at the very basic, need controls to disable automatic sharing across personal devices.

Enterprise Applications - Enterprise applications already need to be designed with features like security, encryption, and data protection in mind. Enabling controls and sensible defaults around how their documents and settings are copied to the cloud will also make sense. In most cases, additional copies of corporate data outside of corporate storage systems won’t make sense.

Corporate Documents - Documents sent via email and Moprise or Coaxion SharePoint documents can be opened in productivity applications like iWorks for editing or viewing. Documents passed between applications need an attribute that indicates to the iCloud apis they should not be synchronized into iCloud and across devices. The document file itself would hold the attribute so it survives as it is copied between apps. This would allow corporate documents to be used by iCloud enabled applications yet still preserve any corporate security decisions. Corporate apps would need to change to add this attribute but other apps do not need any changes - meaning only the apps that get value from the security need to change.

Next Steps

As consumers with multiple devices, iCloud solves lots of challenges and we welcome the ease of moving between our devices seamlessly. As well, the value provided by cloud synchronization and sharing will get greater over time as other companies like Microsoft also embrace cloud documents. As a producer of broadly used enterprise applications, we get lots of feedback from IT and CxOs on the security and integrity of corporate data brought to devices. At Moprise, we will continue to dive into the iCloud APIs and documentation provided by Apple and provide feedback on what we need to tune our enterprise applications to secure corporate IP and promote productivity across mobile devices.