Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

How Secure are OneDrive and iCloud Storage?

Written by  Feb 21, 2020

Stored data goes into the ether somewhere and you rely on the likes of Microsoft and Apple to keep your data safe, but how safe is it?


How secure is iCloud?

Apple’s iCloud faced criticism in 2017 when cyber criminals stole photos of celebrities and published them online. It wasn't really an iCloud’s security issue, it had rather more to do with these individuals having their credentials compromised through successful phishing attacks. Apple actually has a pretty good reputation for maintaining security across its devices, although what does that mean for security in its cloud services?

Well, Apple says that data is encrypted both in transit (using SSL) and at rest on the server. Rather than using AES-256 bit encryption everywhere, however, it uses "a minimum of 128-bit AES" which is considerably less secure. The only thing that I can see where 256-bit is employed is for the iCloud keychain (used to store and transmit passwords and credit card data) so have to assume all other data is protected by weaker encryption which is not particularly encouraging.

The iCloud keychain encryption keys, however, are created on your own devices and Apple can't access them. Apple says it cannot access any of the core material that could be used to decrypt that key data and only trusted devices that you have approved can access your iCloud keychain.

Secure tokens are used for authentication when accessing iCloud from other Apple apps for example: Mail and Calendar, and there is optional two-step verification (which can be turned on at https://appleid.apple.com/account/home) via text message or device generated code for making changes to account information or signing into iCloud from a new device.

one drive

How secure is OneDrive?

Although Microsoft Windows is the number one targeted platform for hackers and cybercriminals, so far OneDrive has remained fairly free of any serious breach thus far. Does this mean it's the more secure than the iCloud? Not really, as none of them have actually suffered a direct data breach (rather than user-compromised access) that has come to our attention. Much of the public concern surrounding OneDrive security is actually that user-error stuff once more; the wrong file sharing permissions and password insecurity mainly.

Actually, files aren't shared with other people unless you save them in the Public folder or choose to share them. Microsoft does reserve the right to scan your files for 'objectionable content' (as does Apple iCloud) which could lead to deletion of the data and your account. That is seen by many as a reason to look elsewhere as file security cannot be guaranteed if the content provider deems it objectionable.

As for data security outside the snooping realm, while data is encrypted in transit using SSL it remains unencrypted at rest. Unless you are a user of OneDrive for Business as from the end of last year Microsoft introduced per-file encryption which encrypts files individually each with a unique key; so if a key was compromised it would only access one individual file rather than the whole store. All OneDrive users do get access to two-step verification though, which further protects the login via One Time Code app or text message.

cloud security2Also see: Searching Questions Your Cloud Service Provider Should Answer About Cybersecurity


Although the cloud remains for many something of an unknown quantity as far as security is concerned, the truth is that data security is never black and white but rather fifty shades of grey. Attaining a 100% secure data storage solution is never guaranteed; you can get very close but will never actually do it. So you have to determine what is 'close enough' as far as cloud services are concerned. This determination may be decided for you if you are a business which is regulated and has to meet compliance requirements, and that may mean that not all your data can be stored in the cloud.
For consumers and most SME's though, the cloud is actually pretty secure these days. Data encryption is key here. Just about every cloud store will encrypt data in transit, that is as it's transferred into and out of the cloud, and some (usually if you buy the business version of the service) will encrypt it at rest, or while it is being stored, as well.

Whilst data not being encrypted at rest, or if it is then the cloud provider managing the keys, does mean that the data can be indexed, de-duplicated, compressed and easily restored in a worst-case scenario it also means that your data isn't as secure as it might otherwise be.

Data Protection: A Practical Guide to UK and EU lawamazon uk

If you really want to ensure that your data cannot be compromised, then encrypt it yourself before you send it to your cloud storage provider. If you have control of the keys, no one can look at your data without you knowing about it. Taking control of your own data security by using an on the fly encryption service such as BoxCryptor for example, is a good step towards mitigating risk in the cloud.
Another is to be aware that the weakest security link is not the cloud provider, but rather you yourself. Follow security best practise in terms of password construction and use (don't re-use passwords across services) as well as employing two-factor authentication where available and your risk mitigation level improves dramatically better.

2 factorAlso see:
Is 2 Factor Authentication Enough?

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.


Popular News

May 06, 2020 IT Security News

Popular VPNs Exposed Users to Attacks

Researchers analysed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that...

May 22, 2020 Cyber Security

EasyJet will be sued over customer data breach

Legal firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Da...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

May 11, 2020 Cloud Security News

Tips to help secure your cloud data in the UK

In this digital age, it’s not a great idea to trust someone with your sensitive data. ...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

Apr 10, 2020 IT Security News

The importance of security for UK office printers

When it comes to digital security, we tend not to think about printers as they are often seen as dumb devices with a few...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

May 07, 2020 Cyber Security

Three quarters of UK homeworkers haven't received cybersecurity training

As Covid-19-related cybersecurity threats continue to multiply, three in four of home workers are yet to receive any cyb...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 14, 2020 IT Security News

Windows 10 is getting DNS over HTTPS (DoH) support

DNS is one of the last protocols that still runs unencrypted on the Internet. ...

Apr 11, 2020 IT Security News

Tips for testing an IT security experts worth in the UK

There is no shortage of people presenting themselves as security experts. Some of them truly are, the others may or may ...

May 28, 2020 IT Security News

Defence tips to stop a trojan invasion

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to preventing...

Apr 22, 2020 IT Security News

Kaspersky shares 10 security and privacy tips when using Zoom

The recommendations from Kaspersky come following recent concerns regarding Zoom's security and privacy. ...

Symantec Home 120x60