Unless you’ve been under a rock for the past couple of weeks, by now you’ve probably heard that the FBI demanded (against common sense) that Apple allow a backdoor into every iPhone in the world for criminal investigations.
The FBI got themselves into hot water by “encouraging” some IT guy somewhere to change the password, which triggers the iPhone’s encryption technology that’s built as a security defense to protect the user. And, several “key officials” within the NSA were opposed to the action against Apple in the first place. This very public move has reignited the debate about the security of our data and when it’s okay for a government agency to demand access to encrypted data (an alleged terrorist) and when it’s not (gaining access to millions of iPhones all over the world in the pursuit of justice).
Whichever side you stood on, it’s clear that the government isn’t quite keeping up with the fast-paced innovations in the technology industry. There are a lot of misconceptions about what exactly encryption and decryption mean — just like there are many misconceptions about the security of a multi-tenant solution.
What is Multi-Tenancy?
As we’ve discussed before, multi-tenancy is best thought of like an apartment building. While you have control and access over your particular apartment, the building as a whole is maintained by the owner. If something is broken, your property owner will foot the bill and make sure it’s fixed, bearing the brunt of the cost. Multi-tenancy is a popular form of SaaS that has come out of the cloud, and it’s our structure of choice here at Samanage.
As I’m sure any Apple user out there is aware, the iPhone has a pretty robust cloud capability. As an Apple user myself, I love that I can easily sync my phone or my laptop to the iCloud for almost anything, from files I need for work to pictures I’ve taken on vacation. It’s so easy and seamless that it’s easy to take it for granted as totally secure. But the idea that your information is up in the cloud (not literally, but that’s the imagery that people usually think of) leads to all sorts of concerns. Can other people see my data? Is my information secure? Clouds are fluffy and white and easy to break into!
But not so fast. The cloud is extremely secure — and I’ll tell you why.
To understand the benefits of cloud security, you have to first understand the fear.
It’s no wonder that so many people are hesitant to believe that multi-tenancy, with clients sharing the same application and having all their data housed in the same database, is actually an extremely secure model. It seems like every couple of months or so, we’re hearing about some online retailer getting hacked or some information getting leaked somewhere. PWC’s Global State of Information Security Survey 2016 reported that there were 38 percent more security incidents in 2015 than in 2014, “hard intellectual property” theft increased by 52 percent, and security incidents that were related to or caused by business partners rose 22 percent.
On the other hand, there’s also a fear that creating a backdoor into every iPhone in the world, even though it would be used only for criminal investigations, could lead to more compromises, and that we might see the percentage of security incidents gradually increase. It could be only a matter of time before someone is able to figure out how to reach this avenue and exploit it, right?
All of that information sounds bad, but the survey also found that 69 percent of businesses had a cloud-based cybersecurity program, beating out big data. So if it’s so easily compromised, why have so many businesses turned to it? Cloud providers are devoted to security.Whereas other data structures may have security as an afterthought. While you may think of cloud data storage as a jumbled mess, sort of like a bunch of objects dumped into a single room without a clear organization, segmentation keeps everything separate and secure.
The very fact that the FBI wanted to gain access into decryption through a court order shows just how difficult it is to break a security feature that is built into the Apple’s operating system (iOS). Apple itself doesn’t have the key to decrypt what’s on the phone. But if, say, you happened to backup your phone’s information onto the iCloud and found yourself in legal hot water (seriously, on behalf of Samanage’s legal team, don’t do anything illegal. Seriously.), the FBI could easily obtain a warrant to get your iCloud information because Apple has actually given itself the key to decrypt that data.
Why, you ask? Why would Apple allow such a vulnerability? Because they want to help their users. There’s no point in storing something in the cloud for encryption, losing it on your physical device, and then being unable to recover it because no one can decrypt it. As Walt Mossberg wrote for The Verge:
“[Apple]’s security policies for the phone are based on the fact that it’s a physical object that can be lost or stolen, so the need to protect the mass of personal data a typical iPhone contains compels the strongest possible measures. However, in the case of iCloud, while security must also be strong, Apple says it must leave itself the ability to help the user restore their data, since that’s a key purpose of the service.”
Trust Thy Security Provider
There are a lot of misconceptions about security and encryption these days, and as a multi-tenant SaaS provider, it’s something that we’re used to. That’s why we urge you to trust your provider — and if you can’t, then it’s time to find a new software company to purchase your tools from.
Here at Samanage, we don’t like to be taken off guard by anything. That’s why our app has built-in capability for automatic security sweeps to detect any potential weak points in your app’s integrity, from software that needs to be configured to early risk detection. Whenever we have an update, we always test it against the latest and most hard hitting security breaching technology to ensure that anything undesirable won’t be able to get access. We put the interest of our customers first.
Apple did the same with their refusal to create a backdoor in the legal battle with the FBI, and it’s also why they gave themselves access to the iCloud. While it may seem like the cloud is a murky area, remember this: If your software engineers are trustworthy, you have nothing to fear, and you’ll always get the best out of your multi-tenant (or any other) cloud security.
UPDATE: This morning, March 29, the FBI announced that they were able to break into the iPhone of Syed Rizwan Farook to further their criminal investigation into the San Bernardino shootings that took place in December of last year. While they have yet to disclose just how they were able to gain access into the phone, Apple is hoping that they will do so — so that they can learn of the vulnerability and correct it.