Earlier this month, Apple announced several important new data protection features for general availability in 2023 that have numerous implications for security teams across industries and geographies. Here’s the Forrester Risk and Security team’s collective analysis of these new features.
quick summary
- The announcement isn’t particularly noteworthy in terms of the newly announced capabilities: this announcement was an expansion of existing technologies, some of which were already available from Apple’s competitors.
- The most interesting part is how these security capabilities are implemented, applied and commercialized and the implications in the current debate between big government and big tech.
The announcement is most significant for a relatively small percentage of Apple users, those most at risk of nation-state hacking and other sophisticated cyber-attacks where privacy and integrity are essential.
For the typical Apple user, this announcement is good marketing. In an era where consumers pay attention to company values and the social, moral, political, and environmental impact of a company’s decisions, Apple is betting on data privacy, the number one battleground for influence. in consumer value-based purchases
Here’s a closer look at the three announced capabilities.
iMessage contact password verification
Available globally in 2023, this capability provides a visual alert to the user that someone is eavesdropping on an iMessage conversation and helps detect man-in-the-middle attacks. What Apple seems to be promising is a way for users to explicitly exchange public keys out of band, outside of iMessage, and to verify the other party’s identity. This is how PGP-style public/private key cryptography works, but it’s an interesting idea in P2P communications. Hackers could still bypass this contact key verification if they compromised the user’s iPhone, iPad, or Mac endpoint.
Organizations concerned about eavesdropping and requiring verification of the identity of the other party in communications already have options in a variety of secure enterprise communications tools today. What Apple has done is bring this capability as an option that makes it more accessible, when both parties use Apple iMessage, outside of using a dedicated technology solution for secure communications, which the average user may not have available.
Security keys for Apple ID
Available globally in early 2023, this capability allows a user’s Apple ID to be authenticated optionally by configuring a third-party hardware physical security key, such as a Yubico-style NFC hardware token, for Apple ID authentication. Apple instead of using the traditional (push/OTP combo) multi-factor authentication messages to the user’s device. This feature is equivalent to Google’s existing Titan FIDO U2F/YubiKey implementation. Adding a “something you have” factor increases the strength of authentication on the user’s iCloud account by making the login credentials even more resistant to phishing. CISA has recently touted phishing-resistant MFA as the “gold standard” for MFA and urged its use by “high-value targets,” which include users who may have access to personnel records or highly sensitive information coveted by criminals. threat actors.
Advanced data protection
The new Advanced Data Protection capability is a phased rollout, with initial and immediate availability to members of Apple’s Beta Software Program and general availability to US users by the end of 2022; Apple’s rollout to the rest of the world is planned to begin in early 2023. This optional capability expands the categories of data that use end-to-end encryption to 23 (of 14) and will now include your iCloud backup, Photos, Notes, and more. This allows Apple users to use device/client-side encryption key storage not just for keychain, health, and other sensitive data as they have in the past in their basic data protection scheme, but it also enables client/device-side storage of keys for iCloud Backup, Photos and Notes, and other types of data as described in Apple’s iCloud data security overview. Advanced Data Protection will be available on iPhone, iPad, and Mac starting with iOS 16.2, iPadOS 16.2, and macOS 13.1.
Third-party solutions like Cryptomator, Boxcryptor, and pCloud already offer client-side encryption and key storage (keep your own key). This Apple security feature gives customers full control of encryption, resulting in at least the following: 1) Apple can only provide limited recovery options (trusted contact or pre-printed/generated security keys) and 2) Apple it can’t comply with a court subpoena to turn over a user’s iCloud-stored data (not surprisingly, the FBI has already raised concerns about this feature). Forrester expects some governments to try to restrict Apple’s ability to offer advanced data protection in their country due to concerns about losing the ability to access customer data.
Bottom Line: Announcement Renews Focus on Big Tech vs. Big Brother Debate
Apple is positioning itself as a champion of user privacy in a world where user concerns about access and abuse of personal data are growing. By offering these capabilities, Apple continues to raise the bar for consumer privacy and security and is another important step in giving users greater control of their personal data.
This post was written by Principal Analyst Geoff Cairns and originally appeared here.
#Apples #announced #data #protection #features #cracked