Apple Confirms It Uses Google's Cloud For iCloud Services

An anonymous reader quotes a report from CNBC: A file that Apple updated on its website last month provides the first acknowledgment that it's relying on Google's public cloud for data storage for its iCloud services. The disclosure is fresh evidence that Google's cloud has been picking up usage as it looks to catch up with Amazon and Microsoft in the cloud infrastructure business. Some media outlets reported on Google's iCloud win in 2016, but Apple never provided confirmation. Apple periodically publishes new versions of a PDF called the iOS Security Guide. For years the document contained language indicating that iCloud services were relying on remote data storage systems from Amazon Web Services, as well as Microsoft's Azure. But in the latest version, the Microsoft Azure reference is gone, and in its place is Google Cloud Platform. Before the January update, Apple most recently updated the iOS Security Guide in March. The latest update doesn't indicate whether Apple is using any Google cloud services other than core storage of "objects" like photos and videos. The document also doesn't make it clear when Apple started storing data in Google's cloud.

Apple stores data on Google, metadata locally

[SuperKendall]

The article doesn't seem to break it out, but I recall what Apple has been doing with storage is that they store encrypted data on third party clouds (like AWS / Google / Azure), but all of the metadata aspects are held on Apple servers so they maintain control.

So?

[jellomizer]

Should I be Shocked that Rivals in the Phone Market are being partners in an other area?

Actually compared to Google and Amazon, Apple tends to play nice in areas they are not competing in, and fiercely in areas which they are.
We See this with Apple and Google, Apple and Samsung...

While Apple being one of the worlds largest companies, it could go on its own, and play games with its rivals and mess up other areas. But they tend to play relatively nice.

Re:So?

[jellomizer]

Which company if disappeared would have change the world? The future isn't set. However if Apple never existed then we would be in a different world. Maybe somethings better, and something worse.

So why the massive datacenters?

[mbourgon]

Since they've been building datacenters for over 5 years, what are they using them for? Even the 500k square foot one in North Carolina was already overkill, more so if they're just holding metadata.

Fun task: on Windows, rip a new CD with iTunes, preferably something rare. Start Resource Monitor, go to Network, TCP Connections, Search for iTunes. Was trying to find a different network hog this weekend and saw iTunes uploading to AWS, which made no sense.

Re:So why the massive datacenters?

[AHuxley]

PRISM.

Re:So why the massive datacenters?

[known_coward_69]

probably accessing gracenote to match song names to files

apple was also looking at building out its own CDN for itunes data distribution. movies and music and app store

Re: So why the massive datacenters?

[saloomy]

You probably have iTunes Match turned on, which uploads your music in your library for your own consumption from your other devices. When the song is common to Apple's library, it's just linked and replaced with their "official" version. When it's "rare", they upload the entire track.

The benefits include cover art and metadata when available, plus a high quality version they have already stored.

Re:So why the massive datacenters?

[Anubis+IV]

Was trying to find a different network hog this weekend and saw iTunes uploading to AWS, which made no sense.

It makes sense to me. There are a number of reasons that could be happening. Just off the top of my head:
* If you have the "Genius" feature enabled (it's on by default), it's sending metadata back to Apple regarding the new songs you've added to your library so that it can improve and personalize the recommendations it makes for you. Given that many of iCloud's services are (and have been) hosted via AWS, it makes sense that you'd see a connection to them.

* It could be asking Gracenote for the CD so that it can populate the track name and other fields. I don't believe you can disable this lookup, but it isn't necessary for ripping CDs, so if you simply disable iTunes' network access things should still work just fine. You'll possibly have to provide your own track names and other data, but otherwise it shouldn't be a problem.

* It could be pulling down album artwork from the iTunes Store's servers (which, again, are oftentimes hosted on AWS). I believe you can disable this in the Store settings, but like Gracenote, it too isn't necessary, so disabling iTunes' network access won't inhibit your ability to rip CDs. It'll simply force you to have to provide your own artwork.

Mind you, none of this is intended as a defense of the abomination that is iTunes. I'm simply pointing out that there are explanations for the network activity you were seeing.

Re: So why the massive datacenters?

[mbourgon]

This (iTunes Match) is correct. My statement "which makes no sense" was them backing up to AWS, as opposed to their own datacenters.

Re:So much for Apple security

Exactly. Foolish apple worshipper.

Re:So much for Apple security

[known_coward_69]

original icloud ran on AWS and Azure

apple doesn't know cloud

Re:So much for Apple security

[jellomizer]

Normally when businesses use a cloud service (especially large ones) they normally have their legal teams evaluate the license and contract, and if they don't like it they will go back to the company and negotiate an other one.

For consumer use, we normally just want the service for free or near free, and are not willing to take months of time negotiating a new license for yourself.

Also, for particular tasks cloud computing is cheaper, and Apple for such services, my not be able to run it as affordable off of their own data centers. While their data centers probable do other tasks cheaper then via google cloud.

SPECTRE flaw impact?

[140Mandak262Jamuna]

At its core SPECTRE flaw allows any process in a machine to access and read memory of any other process. Technically two processes served by the same physical server in the cloud can read each other's memory. Users will find it very difficult to control the server they will be hosted in, they may not be able to target any particular "enemy".

But, Cloud server has total control over ALL the processes. Amazon, Azure and Google would be able to read the memory of ALL the processes they host. Usually there is no adversarial relationship between Google, Apple and the proverbial tool and die manufacturer in Kansas.

But... for Amazon, being able to read the processes used by someone in the supply chain of Walmart or CVS would be very valuable. One could argue it would be foolish for Amazon to violate the trust of its Cloud service users, it could even be very difficult and impossible to pull it off and even impossible to hide... But still this is enough to demand Walmart or CVS or Giant or Home Depot to demand none of their vendors host anything on Amazon cloud. This might provide a way for these companies to collude against Amazon without drawing the attention of FTC.

Re:SPECTRE flaw impact?

[PhunkySchtuff]

I can't see something like Spectre being an issue for the data hosted on 3rd party services. It's all stored as blobs of encrypted data. The keys to decrypt the data are stored on Apple-owned infrastructure, as are all the bits of metadata that determines what the data is for. Nowhere on AWS, Azure or Google Cloud are the keys to the encrypted data stored, just chunks of what would look like pure random noise to anyone else but Apple.
Apple may use these third-party services but it doesn't mean that they have to trust them with the security of their customer's data.

Re:SPECTRE flaw impact?

[140Mandak262Jamuna]

Apple storing data there is not the issue.

People don't just store data in the cloud. They process them there. The process has unencrypted plain data in memory.

For example Diebold runs a full supply chain inventory managemen forecast run every night. Based on orders of various models with various options in hand, promised delivery schedules, expected upgrades etc etc. When it was running it in house, using Baan, using test data it took 3 hours. When they rolled it into production, using actual data, it did not scale linearly, to 12 hours predicted run time. It went way over 48 hours, O(N^2) not O(N).

I think they eventually retired Baan, almost everyone did, Boeing was the last hold out I think, and moved to SAP. If they move to cloud, the data in the disk might be encrypted, the communications might be encrypted, but the process running has the entire order book in plain text in memory.

Re:SPECTRE flaw impact?

[PhunkySchtuff]

Yes, the difference being is that in Apple's case the computers with the keys and the metadata - the only systems that can make sense of the encrypted blobs stored with Google et al. are all 100% under Apple's control. They're not on shared hosting, they're not VPSs in someone else's datacenter. They hold the keys to the kingdom and they're owned and operated by Apple.
The only things that are stored on Google (and AWS and Azure) are encrypted blobs of data. These blobs are likely wrapped in a TLS session when travelling between the cloud storage and Apple's servers as well, but even if anyone were to pwn the Google instance, or intercept the data in flight, all they'd have is a lot of bytes that look like random data.

Re:they don't have any server hardware and if they

[Junta]

They do, however, buy third party servers for their infrastructure, including parts of iCloud hosting.

I would have also expected Apple to have more in-house cloud hosting, as *generally* when you get to very large scale, it becomes cheaper to own it rather than to rent it in absolute terms. From a capital expense versus operational expense, there is still a set of companies that are very averse to having capital, but Apple doesn't strike me as being in a position where they should have to fret about having too much capital.

No one is Jack of All Trades

[foxalopex]

At the end of the day no one company is a jack of all trades. If Google has a solid / reliable data storage infrastructure that can be had for a good price then why not? IBM at one point for example nearly self-destructed because they were a monolithic company who insisted that you had to only use their own products (Token Ring, Lotus Notes) even thou they had their massive downsides. Eventually the company broke up into micro-companies under the same name and were allowed to buy the most cost effective products instead of IBM only. I'm sure some folks at Google for example use Windows products despite it being from a competitor (Microsoft).

Re:No one is Jack of All Trades

[swillden]

I'm sure some folks at Google for example use Windows products despite it being from a competitor (Microsoft).

Very, very few. OTOH, MacBooks are everywhere.

Re: So much for Apple security

[saloomy]

It doesn't matter. The data is encrypted such that Goodle (and in some cases Apple itself) doesn't have the keys. The end user holds the keys.

Unlimited photo storage!

[martinX]

So unlimited photo storage and complete cloud backups for everything from my iPhone can't be too far away.

Re:they don't have any server hardware and if they

[tlhIngan]

They do, however, buy third party servers for their infrastructure, including parts of iCloud hosting.

I would have also expected Apple to have more in-house cloud hosting, as *generally* when you get to very large scale, it becomes cheaper to own it rather than to rent it in absolute terms. From a capital expense versus operational expense, there is still a set of companies that are very averse to having capital, but Apple doesn't strike me as being in a position where they should have to fret about having too much capital.

Perhaps Apple is offshoring the data because Google, Amazon and Microsoft have distributed data centers. The phone and other metadata is small and can hit Apple directly, but backup data is large and if it all came from Apple's few data centers, people in Asia and other places might have a long wait, whereas by using Google/Amazon/Microsoft, they have a mini-CDN set up so your large amount of data can come from a nearby server.

It would not surprise me if Apple used the same thing to cache iOS and macOS updates worldwide - iOS update day has been known to generate so much traffic it beats Netflix, so Apple is using them as a simple CDN. (And I believe since the files are signed anyways, Apple uses HTTP so intermediary cache servers will cache the file as well)

Re:So much for Apple security

[Anubis+IV]

You seem to subscribe to the misguided notion that this is a new or concerning development. It's not. The fact that Apple uses other cloud vendors as commodity services on which they build their own has been well documented for years and is even explicitly stated on a number of Apple's user-facing pages. For instance, Apple's Approach to Privacy page mentions in the section on iCloud:

If we use third-party vendors to store your information, we encrypt it and never give them the keys. Apple retains the encryption keys in our own data centers, so you can back up, sync, and share your iCloud data.

Apple hasn't exactly been shy about mentioning (in lectures, white papers, and other communications) that parts of iCloud have been built on top of S3 and Azure for the last several years. The only thing that changed recently is that they swapped Azure out for Google Cloud in some of their documentation, suggesting that Google likely outbid Microsoft the last time the contract came up for renewal. Given that Apple's cloud contracts are reported to be worth billions of dollars apiece, it's not exactly surprising that competition would be rather fierce and that Google would have been gunning for it.

As for your concerns over what the providers might do with Apple's data, as noted above, Apple is already encrypting the data at rest on those servers, but as a Slashdot reader you may want to dig your teeth into some more details. For people who are technically-minded, such as yourself, Apple has helpfully published an iOS Security Guide that does a decent job of explaining what all goes into their devices' security, including iCloud services that are used on their devices. It should be a relatively easy read for you, given that they've done a good job of taking deeply technical details and making them accessible in intermediate-level language. You'll quickly find that besides encrypting the data when it's at rest on third-party servers, they're also employing other techniques for securing their users' data, such as using end-to-end communication (with keys that they have no access to because they're always kept on-device) for a number of their services.

Aside from the technological means they've employed to secure their users' data that resides on others' servers, there's almost certainly also legal means that they're employing. With these contracts being worth as much as they are, Apple isn't simply clicking an "I Agree" button for a take-it-or-leave it Terms of Service that the rest of us have to agree to when we sign up with these providers. Rather, they're using teams of lawyers to negotiate one-off contracts with their cloud service providers...contracts which will no doubt make the lives of those providers hell should they ever try to misuse Apple's data. After all, that's how contracts between competitors tend to work.

All of which is to say, while I don't have any expectation that anyone here will rise above the standard of petty tribalism and glib comments, this site is at its best when it manages to do so. There are plenty of valid complaints to make against Apple, but flippant aspersions based on a lack of understanding about widely employed business practices that have been in use by them for years without issue is not the way to do it.

Re:they don't have any server hardware and if they

[Junta]

My point is that Apple is of sufficient scale that they already have international distributed data centers. Given they already feel the need to have such a footprint, the incremental cost to do it in-house versus outsourcing for most companies in that position would be lesser than renting the capacity.

I do know of a couple of companies that look at the cost and kick themselves, seeing that their up front decision to cloud host ended up being more costly than in-house, but so would be the cost of migrating, so they are stuck paying higher amounts on an ongoing basis.

Apple has a quarterly profit that exceeds most companies annual revenue at this point, so they have the cash flow to overcome such hurdles, unless their internal IT is just hopeless, they should be able to do a lot to seek the lowest overall cost. By the same token, Apple is on such unbelievably solid ground that they don't need to go by the 'assets are a bigger liability than expense, even if having to spend more money' philosophy that other companies are often stuck with.