Reports Tuesday that Apple had become Google’s largest customer of cloud data services – and that the iCloud data was encrypted by Apple – was viewed as a positive development by some security researchers, who said more companies need to take the shared responsibility model with cloud service providers (CSPs) seriously.
The report said Apple was on track to spend about $300 million on Google cloud storage services in 2021 – a 50% increase year-over-year. And because the data gets encrypted by Apple, Google can’t obtain the customer's iCloud information. The same also holds true for Apple iCloud data stored at Amazon Web Services, according to the report.
Apple, through its product announcements and frequent television ads, has cultivated an image as a provider focused on privacy and security – and encrypting the data in the cloud supports those goals, said Tim Erlin, vice president, product management and strategy at Tripwire.
“The use of third-party cloud storage alone shouldn’t impact that image or reality, but just like any other organization, Apple is ultimately responsible for the security of their customers’ data. When you put sensitive data into a third-party application or storage, you don’t magically give up responsibility for security.”
Law Floyd, director cloud services at Telos, said Apple's use of Google Cloud makes sense because it’s exponentially faster to use a CSP than to find space for further data center development, increase power to meet new requirements, ensure proper cooling, purchase and install equipment, as well as maintain the equipment and continually implement and monitor security controls.
“Much of this is offloaded onto the CSP, allowing the customer, in this case Apple, to focus on securing the data and providing an excellent experience to their end customer,” Floyd said. “Apple uses the inherently available security features in the Google Cloud Platform to ensure data is encrypted at rest and in transit to protect their end customer's data. Cloud providers generally focus more on the infrastructure of the cloud and not the data itself housed in the cloud. This puts responsibility on the customer to correctly implement security features, such as encryption, which it seems Apple is currently doing.”
Dirk Schrader, global vice president of security research at New Net Technologies, said we can view all the data Apple stores in Google’s cloud encrypted by Apple as a “role-model approach” to using infrastructure-as-a-service (IaaS). Schrader said many companies don’t follow that approach when using cloud storage or cloud computing power as it adds an extra layer of complexity; they forget that they still are the fully responsible entity when it is about the data given to them by their customers.
“Google calls this the ‘customer’s security responsibilities’ and expects the customer to ensure a level of security appropriate to the risk in respect of the customer’s data,” Schrader said. “In short, the customer cannot defer the risk to Google, which is a basic misunderstanding for many companies using IaaS.”