Don’t fall for fearmongering about iCloud

It’s a no-win situation for IT: As Apple’s iCloud online storage and syncing service gets closer to reality (the latest credible rumors peg its release for October), lots of vendors are promoting private cloud tools to keep enterprise data out of iCloud and instead confined to IT-managed servers. But these tools simply won’t work, and IT risks wasting time and money for false security if they’re betting their data security on such an approach.

iCloud will be built in to iOS 5, which will run on most iPhones, iPads, and iPod Touches manufactured in the last several years. It will be part of Mac OS X Lion, which you can expect most Macs to run within a year. And it will be available in a limited way in Windows Vista and 7. Given the fact that iPhones and iPads now dominate corporate smartphone and tablet use, iCloud will be in nearly every business — wanted or not.

The risk of iCloud is actually less than many in IT fear: Data is synced only in compatible applications on devices tied to the same Apple ID. At iOS 5’s launch, that will be Apple Mail, iCal, and Address Book for locally stored mail, calendar items, and contacts; server-based data will remain in IMAP and Exchange servers, as before. Additionally, iPhoto (or the My Pictures folder in Windows) and Apple’s trio of iWork productivity apps — Pages, Numbers, and Keynote — will be support iCloud sync as well.

Over time, more apps will use iCloud data syncing to share data across the same apps on users’ other Apple devices. The data could be synced to a user’s Apple mobile devices, Mac (likely a personal device), and in a limited way Windows (photos, bookmarks, and non-server-based email, contacts, and appointments) if the user installs iCloud on it. But other users’ devices or computers and non-Apple mobile devices will not have this capability.

The real risk in corporate data leakage has been around for a couple years, though without the panic that iCloud set off in some quarters. I’m talking about Dropbox and Box.net, the two main cloud-based file-sharing services. They work on practically everything: PCs, Macs, iOS devices, Android devices, BlackBerrys, and so on.

Many apps — especially the productivity-oriented programs most likely to be working with corporate data — have hooks to at least one of those services, for easy sharing across not only a user’s own computers and devices but anyone else he or she grants access to the Dropbox or Box.net account. (SugarSync, Google Docs, and others also offer such hooks to developers, but they’re much less widely adopted than Dropbox and Box.net within mobile apps.) The security risk of these services far outweighs that of iCloud.

Regardless of the misplaced focus on iCloud, the notion that corporate data will soon sync everywhere and anywhere, without IT’s knowledge or control, has made a lot of CIOs and CSOs worried. After all, some have to enforce various rules for legal reasons, such as the E.U.’s privacy directives and the U.S.’s HIPAA, and others have contractual requirements, such as for defense work.

Enter the private cloud purveyors, who let IT set up file-sharing servers on premise or in the cloud so that mobile and laptop users will sync their data to those authorized and managed file locations instead of to iCloud, Dropbox, Box.net, and the like. At first blush, it sounds like a reasonable solution: Give users a safe alternative for file storage and access.

But these services have two fundamental flaws.

One, they don’t replace iCloud, Dropbox, Box.net, or other public cloud storage services. They don’t integrate with mobile apps, so users can’t easily get files from or save files to them from their mobile apps. Instead, they’re basically glorified FTP clients that work separately from the mobile apps and the preintegrated cloud storage services in those apps. (SharePoint — the private internal storage cloud of choice at many enterprises — has an even worse flaw: It doesn’t support non-Microsoft clients.)

Two, for that data to be useful to the mobile (or remote) user, it has to be accessible to apps on the device. And as soon as the data is brought into an app, users can share it with other devices using iCloud or with other devices and users via other public cloud services that the app supports. So much for keeping the data away from iCloud, Dropbox, Box.net, and the like. Given that iOS and the other major mobile OSes support business-class VPNs, exactly what is the point? Simpler FTP is all I can see as the possible benefit.

To try to corral your corporate data, you can offer private cloud services, but users will default to what is easier and automatic: iCloud or a commercial service. Does that mean all hope is lost for data management in a mobile workforce? No.

A simple solution is to use a commercial service like Dropbox or Box.net, getting a corporate account that allows for IT management of access and storage location for authorized users. If you cannot use a commercial service for a legitimate security reason, then use a server/app combo internally that supports the WebDAV protocol, which many mobile productivity apps support natively as they would Dropbox and Box.net. Apple and Google support WebDAV strongly in their products (it’s part of iOS and Mac OS X, as well as Google Apps), so it’s a usual-suspect data-handling protocol for mobile developers.

Either way, if your users hook into that storage service for their productivity apps, it’ll become their default for all cloud storage in the apps that matter to you. After all, the preintegration means that users stay connected to that service across sessions, so they’re less likely to switch to a personal service once set up on yours. This does mean you need to allow for storage of personal data on those servers — otherwise, users will switch to a personal service at some point and may stay there.

This approach is not perfect, especially given the embarrassing security breach Dropbox suffered earlier this year. But tapping into a service that users will access anyhow is more realistic than setting up a private storage cloud that users have to explicitly and inconveniently work with — and therefore won’t. And remember, they can always just use email to move files around.

Until the day of fine-grained contexual mobile device management arrives, it’s best to deal with the reality on the ground: Data moves where it flows most easily.

So, focus on the data itself: Who do you allow to access it (and thus trust)? What data do you let leave your data center in the first place (by not using Web interfaces to it)? Realistically, data will find its way out of your control if a user wants it. If you accept that premise, your goal becomes about building paths of least resistance so users can do the right thing without undue effort. And you can focus your active security on those actively seeking your data.

This article, “Don’t fall for fearmongering about iCloud,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.