Using built-in cloud services
Secure use of built-in cloud services on smartphones, tablets, laptops and desktop PCs.
Most modern devices and browsers are able to sync user data and settings across devices, using built-in cloud services. Microsoft, Apple, and Google all offer the ability to sync data in this way.
This guidance will help anyone who uses a mobile device to evaluate the benefits of these services and features, as well as the security risks they can pose.
For organizations, we discuss the additional security controls required to prevent data leaking through these services, to the outside world.
Why secure built-in cloud services?
Built-in cloud services typically allow for the syncing of user data and settings across devices, with access also provided through an online interface. They also provide some remote device management features, including remote locking or remote wipe if a device is lost or stolen.
For individuals, built-in cloud services can provide security benefits. For example, browsers such as Edge, Chrome, and Safari include built-in password managers which are usable ‘out of the box.’ In combination with cloud services, these allow syncing of passwords across devices to help individuals cope with the challenge of account password management. Additionally, if a device is lost or stolen, the ability for the device owner to remotely lock it or wipe it can provide protection against unauthorized access to the device and its data.
Organizations will likely want to restrict or control the use of these services, to prevent corporate data being synced to personal accounts. For organizations that own and issue mobile devices, applying technical controls using Mobile Device Management can restrict or prevent the use of built-in cloud services.
If using a Bring Your Own Device (BYOD) strategy for mobile devices, restricting access to these services is more complex. In these scenarios, it is highly likely that access to both work and personal accounts and data will be available on the same device. This presents a greater challenge for organizations to maintain separation between work and personal profiles, accounts, apps and data.
Preparation for secure use of built-in cloud services
When using built-in cloud services on mobile devices, many of the considerations listed below will be equally relevant to individuals and organizations. However, your choices may well differ.
For organizations, there are important additional considerations. Your choices here will depend on business need, isolation and separation of data, and the ownership model of the device.
We have listed questions below that will help you assess whether or not to allow the use of built-in cloud services.
For individuals
What cloud services are built into the device?
How do I setup and configure cloud-based services and accounts?
What data synchronisation and back up services are available?
What device settings are available to configure built-in cloud services?
Where and how can the data be accessed?
How can I protect against unauthorized access to back-ups of my data, stored in the cloud?
How can I protect access to data stored on my device if it is lost or stolen?
For organizations:
Do users need access to built-in cloud services on mobile devices?
What cloud services are built into devices used within your organization?
What additional features on devices might become enabled as a result of signing into a built-in cloud service (e.g. find my device). What risks arise as a result?
What device settings are available to configure built-in cloud services?
What device settings are available for isolating work and personal data to prevent data leaking outside of the organization?
What device settings for built-in cloud services and data isolation policies can be controlled and enforced using mobile device management?
If deploying devices using a BYOD strategy, it is likely that both personal data and enterprise data will be stored on the same device, with users requiring access to built-in cloud services for personal use. This presents a particularly complex challenge. Further guidance can be found on our Bring Your Own Device page.
How to use built-in cloud services securely
For individuals:
Choose which services to enable or disable on the device for cloud backup and syncing.
Setup and enable multi-factor authentication for the account you use to log in to built-in cloud services and enroll new devices. More information on multi-factor authentication can be found in the BCSF multi-factor authentication guidance.
Built-in password managers will usually support syncing of passwords across trusted devices, making it easier for you to use passwords securely. For more information on password managers, see this BCSF blog post on why we see them as a good thing.
Enable remote management features which allow you to remotely lock and wipe your devices if they are lost or stolen.
For organizations:
Determine organizational policy for use of built-in cloud services on mobile devices.
If deploying enterprise owned and managed devices, where possible, use Mobile Device Management to disable built-in cloud services using personal accounts. This will reduce the risk of data leaking out of the enterprise.
Some manufacturers allow enterprises to create accounts that can be managed by the owning organization. For example, Apple Managed ID and Google Managed Accounts can be used to help manage the risk more effectively.
If employees are required to have access to both personal and work data on the same device, where possible apply technical controls to provide separation of work and personal profiles, preferably using mobile device management to control, monitor and enforce this separation.
More information
For individuals
We have provided links below to details on built-in services for the most popular mobile devices used today, including Windows 10, iOS, macOS, Android, and Chromebook.
Provider | Account | Syncing Settings | Syncing Passwords | Remote Management | Protecting Your Account | Apps |
|---|---|---|---|---|---|---|
Microsoft | Turning two-step verification on or off for your Microsoft account | |||||
Google Chrome – Sync account data and settings across devices | ||||||
Apple | Apple Find my iPhone - Track and find your missing Apple device |
For organizations
The BCSF Advanced Security Guidance provides detailed guidance for organizations on assessing the security of cloud services. This may help with assessing whether you permit use of built-in cloud services.
In scenarios where devices are enterprise owned and fully managed, the BCSF detailed platform guidance provides recommended settings for disabling access to built-in cloud services, if they are not required.
In scenarios where devices require access to work and personal data, it will be likely that users, at least for personal accounts, will require access to use built-in cloud services. Most device manufacturers provide mechanisms for isolating work and personal data which can be managed with MDM.
We have provided some links below for detail on the controls offered by Windows 10, iOS, and Android.
It’s important to note that, if malware is present on the device, these technical controls can be circumvented. More extensive information can be found in the bring your own device guidance.
Platform | Feature |
|---|---|
Windows 10 | |
iOS | |
Android |