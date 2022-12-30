



Earlier this month, Apple announced several significant new data protection features for general availability in 2023. These capabilities have many implications for security teams across industries and geographies. Here is Forrester’s security and risk teams analyzing these new features together.

Quick summary

This announcement is not particularly noteworthy in terms of newly announced features. The announcement is an extension of existing technology, some of which is already available from Apple’s competitors. Even more interesting is how these security features are deployed, implemented and marketed, and their impact on the ongoing big government and big tech debates.

This announcement is of paramount importance to the relatively small number of Apple users who are at risk of nation-state hacking and other sophisticated cyberattacks where their privacy and integrity are essential.

For the typical Apple user, this announcement is good marketing. At a time when consumers are paying attention to corporate values ​​and the social, moral, political, and environmental impact of corporate decisions, Apple is influencing value-based purchases from consumers. We bet on the biggest battleground for giving: data privacy.

Below is a detailed analysis of the three announced features.

iMessage Contact Key Verification

The feature, which will be available globally in 2023, visually alerts users that someone is eavesdropping on their iMessage conversations, helping detect man-in-the-middle attacks. What Apple seems to promise is a way for a user to explicitly exchange public keys out-of-band, outside of her iMessage, to verify the other party’s identity. This is how PGP-style public/private key cryptography works, but it’s an interesting idea for P2P communication. This contact key verification can still be circumvented if a hacker compromises a user’s iPhone, iPad, or Mac endpoint.

Organizations concerned about eavesdropping and wanting to verify the identity of those communicating with them now have a variety of enterprise secure communications tools to choose from. What Apple has done is to offer this feature as an option to make it more accessible when both parties are using Apple iMessage outside of using his solution, a proprietary technology for secure communications. to make it easier. This may not be available to the average user.

Apple ID security key

This feature will be available worldwide in early 2023 and will replace the traditional (push/OTP combo) with a physical third-party hardware security key (Yubico-style NFC hard drive) for Apple ID authentication. wear token) to authenticate the user’s Apple ID. A multi-factor authentication message to the user’s device. This feature is comparable to Google’s existing Titan FIDO U2F/YubiKey implementation. Adding a factor that has something makes login credentials more phishing-resistant and increases the strength of authentication for users’ iCloud accounts. CISA recently touted phishing-resistant MFA as the gold standard for MFA, encouraging its use by high-value targets, including users who may have access to personnel records and sensitive information coveted by threat actors. urged.

Advanced data protection

The new advanced data protection features will be a gradual rollout, initially available immediately to members of the Apple Beta Software Program, and generally available to users in the United States by the end of 2022. Apples global rollout is expected to begin in early 2023. This opt-in feature expands the data categories that use end-to-end encryption to 23 (from 14) to include iCloud backups, photos, and notes. , more. This allows Apple users to use client/device-side cryptographic key storage for keychain, health, and other sensitive data as they have done in the past with basic data protection schemes, as well as client/device-side encryption key storage. Device-side encryption key storage is also available. Keys for iCloud backups, photos, notes, and other types of data, as described in Apple’s iCloud Data Security Overview. Advanced Data Protection is available for his iPhones, iPads, and Macs with iOS 16.2, iPadOS 16.2, and macOS 13.1 and higher.

Third-party solutions such as Cryptomator, Boxcryptor, and pCloud already offer client-side encryption and key storage (keep your own key). This Apple security feature gives customers complete control over their encryption, resulting in at least the following: 1) Apple can only offer limited recovery options (trusted contacts or pre-printed/generated security keys) and 2) Apple cannot respond to surrender court subpoenas. a user’s data stored in her iCloud (unsurprisingly, the FBI has already expressed concern about this feature). Forrester anticipates that some governments, concerned about losing access to customer data, may seek to limit Apple’s ability to provide advanced data protection in their countries.

Bottom Line: This Announcement Refocuses the Big Tech vs. Big Brother Debate

Apple has established itself as an advocate for user privacy in a world where users are increasingly concerned about accessing and misusing their personal data. By providing these features, Apple continues to raise the bar on consumer privacy and security, and is another important step in giving users more control over their personal data.

This post was written by Principal Analyst Geoff Cairns and originally posted here.

