Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
No, its just a matter of scale. There are no real legitimate concerns, but every company will balance employee happiness vs the 1 in 10000 chance something will go horribly wrong with a USB watch, and just ban everything outright.
I work for a casino, and we don't allow our employees to bring in such devices either. I'm sure it still happens, but such policies are important when your customer database is vital to your income.
DeviantArt Page
NSFWI recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ...
How is that overkill? Sounds like a common-sense move for a firm that wants to take steps so that sensitive information doesn't just walk out the door. It's not that much different than walking in with a USB CD burner under your arm.
Stop by my site where I write about ERP systems & more
Dude,
if you don't understand or agree with this policy, you probably don't belong in the job you are doing, and don't 'get it'.
scary...
-ac
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day.
That's actually pretty generous if you're actually serious about the information the consultant handled being Top Secret. Even if it isn't, that's a much better alternative (for you) than being "let go" because you continued to wear a prohibited device after being told not to.
!#@%*)anks for hanging up the phone, dear.
What about other portable drives?
:)
What about USB keychain storage thingies?
What about FLOPPIES?!?
Of course, the whole "malware" argument is only a concern if you're running in an insecure Windows environment... am I being redundant?
Come to the University of Mars! Classes starting soon!
Cute.
Makes me thankful for my original iPod with it's Firewire connectivity only, there's no firewire ports in this office.
Yes, like you're going to win that arguement at the security door/HR rep/etc. "But my ipod only has a firewire interface, unable to connect to the computers here!"
To them, that sounds like technical nonsense that makes you even more suspecious. "He mentioned fire!"
Well, that's a pretty legitimate complaint, especially if you work in a secure building. You can't just be coming in and out with a portable hard drive and copying mechanism every day if you have secret clearance and work on DOD stuff, so it makes sense that other companies would follow suit. Besides, it's not like CD players, tape players, mp3 cd players, radios, live365.com, etc. don't exist! Just like checking your guns before entering a saloon makes sense, so does this. Sure, you might not use it, but if you did, people would sue.
stuff |
Banning personal portable storage devices (iPods, USB, powerful calculators w/ a computer connection, etc) is pretty much standard (and smart!) pratice when either government or industry classified/proprietary information is available. The risks are simply too great... the chance of soldiers dying due to a security violation or a company going under due to industrial espionage greatly trumps your desire to have a silly USB watch on your wrist all the time. If you don't like that reality, then don't take jobs that put you in contact with that sort of information in the first place.
_sig_ is away
Those in charge of company security should remember that these same employees bringing in iPods are the ones who were issued key cards to get into the building. Companies have no choice but to give their workers the benefit of the doubt.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
But for a regular corporate setting the above action seems more appropriate and pro-active as someone can always sneak a usb device in.
I think it's unreasonable that someone like you is allowed near a facility containing "top secret" information.
Please explain how to secure a network so that hte users dont have access to data but can still do their job.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Companies should consider hiring trusted professionals. If you hire quality, professional employees and explain the policy against putting corporate data on personal devices, this should not be a problem.
Believe it or not, most professionals want to do a good job and take pride in their work. If you set reasonable policies and explain them clearly, most will want to follow them.
Do you want to grant someone enough access to your data that they could copy it onto an iPod if you don't trust them to abide by your policies? If they have that kind of access to the data, copying it to an iPod is far from the only or best way to get it out, and you're just adding an inconvenience to your employees' lives without meaningfully increasing your own security. If you believe that banning these devices would help, your problems run much deeper and you should rethink the way you're doing business.
.sig: file not found
Nokia cellphones [and I'm sure those from other manufacturers] have flash media slots in them that can accept memory at least up to 1GB in size. And with bluetooth connectivity, you could easily transfer data from your machine to cellphone, without even having to have the device in plain view.
For a start one should have half decent virus checkers etc OR (a far better solution) is to make sure your users are well informed about these things. I run a firewall and no anti-virus software and have had 1 virus in 10 years. Prevention is better than cure.
Secondly - My USB Key is a god send. It may 'only' be 128Meg but I can take work home and work on it directly on the key. I always have the most up to date docs/code with me. If I couldn't take stuff home it'd take me much longer to do. When one is working in R&D you never quite know when inspiration and a solution will hit you.
Yes - there are hazards but (for me) the benefits massively outweigh them.
Time flies like an arrow. Fruit flies like a banana.
The result? Now everyone walks around with a USB drive to move files around, or they email them to and from gmail, etc. (OR they use their iPods/Dell Pods, SonyPods)
So the system, overall, is a LOT less secure because all the company's assets are kicking around in email and USB thumb drives. But the folks in IT can cluck their tounges and think they did something useful.
Best Buy can have you arrested
The employees at companies using this policy likey have access to confidential information. Copying that to the usb storage device and walking out the door is very possible, and the only way to secure the network against this is to actually ban the devices from entry. It's absurd to just declare that a company enforcing this policy does not "run a secure network", because banning people from read access to information necessary for their job is not going to work.
can't telnet from the school due to policies? just bring Putty on a memory stick ... I'm confused, wouldn't this be better addressed with a packet filter instead of removing the telnet binary? What happens if a kid brings a laptop in?
--
lds
For better or worse, personal storage is going to increase. Cellphones, watches, ipods, all these things are becomming increasingly necessary to remain competativly productive in the modern world. Companies that dont figure out how to allow employees to use PDAs or cellphones or USB thumbdrives are going to find themselves at a disadvantage relative to companies that allow their employees to discover new ways to increase their productivity.
Not everybody is a criminal or has criminal intentions. If you don't trust an employee with an iPod, please explain why you would trust them to have access to the data in order to do their job?
A policy against iPods and other USB or other portable devices applied blindly is illusionary security at best. There are countless ways for a dishonest employee to steal data - the only mitigating factor is going to be how secure the network is - that should be the primary focus of any system administrator.
Yes and no.
Assume, for a moment, the information were truly worth classifying. And, for a moment, we'll assume that USB connectivity would be a requirement for other functions.
If I ban all USB keyfobs, pens, watches, and plush dolls, then having a USB keyfob, pen, watch, etc. would not be "normal." If I see a coworker pulling one out of his butt (literally, in your example), a red flag would be raised, and, as a good employee, I would contact the appropriate security officer. Its mere presence would be the concern, not just its use--there would be no legitimate reason for it to be on site. If there were, the security officer would have a documented exemption.
True, I could have a policy by which the iPod would be allowed but not connecting it to the machine. In this scenario, its presence would not raise any flags. I'd have to observe that it is connected to a company system to raise a flag, which might not be as obvious. The iPod would just be part of the landscape, and wouldn't get a second thought.
What of laptops? I admit that it is a bit odd to have that open while the USB drives would not be allowed. My assumption would be that, for the most secure information, wired desktops would be the norm.
Further, if the concern is the introduction of viruses, etc, it is not the same thing. Lord knows where the USB keyfob has been, but a corporate-issued laptop ostensibly should have security standards, up-to-date anti-virus software, patches, and other precautions (similar precautions for data protection, but that's another story). If the company doesn't have such policies, well, they have only themselves to blame. If they do, and the precautions are circumvented, and a virus is released, disciplinary actions can be taken against the employee (just as though they propped the back door open). This would also be why unauthorized systems would not be on the network.
are you *seriously* saying guns should be permitted on aircraft? even charlton heston would balk at that, surely?
Storage devices are security threats that should be taken seriously. The best way is not to refuse employees listening to music but rather
* hide computers away or lock them up so they can't be physically accessed. This should be combined with tight firewalls for outgoing traffic.
or
* make limitations in the software so USB storage devices or firefire disks simply won't work. Of course users can't have administrative rights.
or
* disallow sensitive information from reaching employees computers. Store things on secure servers.
I'm right now sitting at work on one of the largest corporations in the telecom business and we sure as hell don't have enough security.
Ciryon
Geez...if you let people install hardware or software on your computer then the computer really isn't yours.
Most corporate policies prohibit non-admins from installing hardware and software for STABILITY reasons. That alone should dictate policy on iPods and other such devices.
-ted
A cheaper, and more secure, alternative would be to use a floppy disk as an ID device. They put it in, their network map shows up, they copy the data. They remove the device, their network map disappears, and they go home.
It has several advantages...first, they don't have to remember to "disconnect" the flash drive. Less chance of losing data. Second, you still have that mental association between the data and the floppy. Third, the data is on a central server, where backups are made regularly. Fourth...the floppy could be formatted to only, say, 512 bytes of data. (I'm sure you can tweak superformat's settings to do that...) Nowhere near enough space to remove sensitive data from the premisis, let alone a normal filesystem.)
And if the user loses his floppy, issue him a new "key" and his old data. If you want, add some sort of CRC to the numerical key on the floppy, so that data corruption is less of a risk. Or put a backup of your only sector on the other side of the disk.
tasks(723) drafts(105) languages(484) examples(29106)
When 1GB thumb drives can be purchased, and hidden this is a policy that basically says "Hey stupid thieves, don't steal our stuff".
Which is great for stupid people, but lets face it, this is a CYA for upper management. It does nothing to address the problem, but it gives these guys a legal figleaf when data does get stolen.
Its a symptom of what's wrong with businesses; everybody's worried about the liability, and not the actual problem.
Corporate espionage is something that is feared; however, all this really does in inconvenience those who are using these devices legitimately. I would trust that in an organization who has a real security concern, that they would have appropriate ACLs in place so that data theft would be limited to what the user that already has security clearance.
Now if you have already cleared someone to be viewing and working with such data, you have much bigger problems than fearing them stealing it with a USB device. It's like trusting your employees with your business in their day to day operations but keeping office supplies under lock and key. It just doesn't make sense. If someone is intent on ripping you off, they would't go for the small stuff. Similiarly, if your business depends on these people who have access to such "crown jewel" data you'd better hope that you have a good hiring process and that you are keeping your employees happy.
A side rant: so you're all concerned about people with USB devices; yet, you're fine with shipping your data off to some foreign land for outsourcing. Hmmm... If only the world were based on logic!
Typical heavy handed IT lunacy. You're making it harder to use a possibly essential device on a machine you didn't know might need it, creating more work for yourself while gaining little to no security, as potential theives would just go to a machine that didn't have USB disabled.
I've been subverting this type of network policy since second grade, and it's easy because it lulls you into a false sense of security. "I don't have to worry about X machine, I've locked it down!" Meanwhile, us grade school kids are running video games through the shell in WordPerfect.
Want a secure network? Stop with the locks and start with the spies. Befriend your users and make them your eyes and ears. Remind them not to trust anybody and help them identify suspicious activities. Most of all, make them care. That's tough to do. But unlike being an asshole, it actually works.
Hey freaks: now you're ju
If he entrusted with the data, he can get it out, no matter how much a security monkey tries to stop him.
When corporate policy is stupid, you ignore it. Otherwise you can't do your job. The people who follow company rules no matter what are usually drones who care more about their retirement than actually doing something.
Where do you fit, I wonder?
Does not prevent someone from booting up with a Knoppix CD and accessing the network and a USB key.
Alert! A new device, known as a "Briefcase" has been increasing in popularity in the workplace. While useful for ordinary business it brings with it some sinister baggage. This nefarious device serves to conceal a large amount of objects, such as sensitive data and staplers, in a small space, enabling employee theft and espionage. While it's true that file folders have been commonplace in corporate environments for years, this new product threatens to bring unforeseen and catastrophic results. Ban it before your company falls apart and you have to spend the rest of your life living in the street trying to support your starving family.
I do think it makes sense for companies that already employ policies like searching employee belongings and metal detectors to add USB storage devices (and any data storage medium for that matter) to the list of things they check for. If you really needed to bring one in, you could have some sort of approval/checking process. As far as most companies go, I think it makes sense to judge based on whether they seem to be causing problems in the workplace, and if so, banning them or finding some other way to fix the problems. I think it would be a good idea to do virus-checking on insertion of any removeable media.
I thought this was a particularly interesting quote:
"Another potential danger is that the devices -- that typically make use of USB and FireWire -- could be used to steal large amounts of company data as they are faster to download to than CDs."
I think they've been watching too many movies. I highly doubt that most downloading of corporate data happens in a down-to-the-second race against corporate security. I think it's much more likely that most data is stolen by those with official access and all the time in the world. And I may be naive, but I think a corporate spy would be able to think of a better way to export data than an iPod.
If my personal laptop and my personal PDA are in my personal bag, not connected to anything, not even turned on, where do they get off playing with my crap? I don't drive to work, and it's exceedingly inconvenient to go to a LAN party uptown by way of northern NJ, as that means going from NYC to home to NYC again - inefficient.
There is no reason for the IT staff to be searching bags - in fact, going into my bag is a violation of corporate privacy rules. There's no rule against you having the laptop with you, as long as it's not turned on in the office.
Where I am now in Lower Manhattan, I can take it outside and connect to a public hotspot with the wifi card, and no one says anything about it.
And just as a note? The machines were running Windows NT4. You know, the OS that DOESN'T support USB in any configuration? But they gave out floppies if you asked.
The sheer magnificent idiocy of this staggered me.
Brazil has decided you're cute.
The barn door has always been open. Same old problem just a different set of devices. What has changed is the ease, speed and volume of information that can be copied. Think of the fear that was generated in paranoid organizations after the wholesale adoption of photocopiers.
A organization can best deal with the issue by treating their workers with a sense of respect. It will not prevent the employees with criminal intent from stealing information but innoculate honest workers from feeling a sense of entitlement.
A possible technological fix is to ensure that copying data to/from a removable device is logged. This does not prevent the employee from taking work home but does allow for a system administrator to track where the data is going. However this means nothing unless the logs are reviewed. It is essentially a file-nanny.
It does require that a security policy that is appropiate for the organizational goals and for departmental specifica goals.
Research is what I doing when I don't know what I am doing - Werner von Braun
Until the company outlaws laptops that people take home, calling an iPod or other portable data device a security risk is absurd.
...as Israel has trouble with suicide bombers in public, in areas that the military is guarding. We have the same problem in Iraq right now.
The person committed to a mission, for whatever reason, will have figured out what they're willing to risk to complete that mission. Frequently people will actually risk more that initially reasoned, if they see the goal. So while there are cameras, and while there are people monitoring devices brought in and out on an "official" basis, it's not hard to get stuff in and out of otherwise "secure" areas unless they are willing to literally strip search and body cavity search someone. As for espionage, If another company is paying someone enough, I doubt that the person being paid would balk at a "sign this form" or a "routine inspection" when they could hide the device in a shoe, or behind a belt, or in underwear, or any other number of places.
That being said, if a company has a policy to allow any of these memory devices then people are used to seeing them in cubicles and accept them as legitimate. If a company doesn't accept them, then if someone is seen with one at all they're subject to search. Period. End of discussion. This would help to catch a perpetrator, as there is no real deterrent.
Do not look into laser with remaining eye.
As people learn to augment their abilities using computational devices of increasingly greater power and smaller size, corporations will have the choice of either having full powered employees or having their abilities and knowledge toned down to attempt to satisfy company paranoia. What no one seems to get yet is that we are fast approaching a time when it must be assumed that everyone has the equivalent of an eidetic memory in full fidelity for everything they are ever present to. I think we need to work with this instead of attempting to fight it.
I said "applied blindly". Do you think any data is more secure if a company banned iPods? An iPod could allow somebody to transport data more easily than without, but it does nothing to secure the data itself.
Oh, and FYI, not all companies ban listening to personal music for all job types. Having happy employees can often lead to enhanced productivity. Not treating employees like potential criminals would be a good place to start in my book.
As an earlier poster said, there are jobs/situations that require high degress of security - that do have secure networks and do want to make wholesale copying of data less convenient. For those situations, and people working in them, a ban on mass USB/Firewire devices is probably already in place.
Setting rules and security on the network is only part of the task. The social aspects of data theft or mis-use has to be handled with as much attention. Now...enforcing the security becomes moot if they allow devices that can carry data outside, inside the building...
(paper can carry data too, and is a known sorce of data theft, just as the dumpster divers...)
karma, hah...
Boot machine using USB device/CD ROM/floppy or even network using Linux.
Using Samaba authenticate yourself in the Windows network, mount your loacal and network drives, copy to your USB device that has now bee recognized.
When you are finished reboot in your "secure" machine.
The only sane way to avoid foreing devices is to put a physical barrier on the computer ports (thinking about all-in-one critters) or remove the ports when possible. Anything else is just pretending you are doing something.
IANAL but write like a drunk one.
.. the problem is the people who have it.
In the old days technology like USB watches/keys/etc was the province of the geek. The technology may have been nerdy, but overall the people who used it were people who had a good chance of knowing the consequences if it was abused.
These days USB storage devices are falling into the same category as iPod's - the people who carry them are not geeks, but there not necessarily technically savvy or competent to see through the technology and respect the larger issues of security and intellectual property. Now few organisations have the balls to actually dicipline employees who screw up in ignorance (especially when those who screw up are the pointy haired bosses who want to look tech savvy).
So, the result is broad policies where the technology is banned to everyone, and the geeks run a higher risk of being busted and sacked.
USB drives are a REAL security problem. Real CIO's disable their use on the network. They even install "GOOD" virus that disable the USB storage capability on any computer attached to the corporate network. Anything less just can not be considered security. The programs I am familar with even sound an alarm when someone tries to attach a USB storage device of any kind. The more agressive ones disable network access at the router for the offending MAC device. These precoations are not perfect but they prevent >99% of the casual removal of data that is not transported by e-mail. There is even a standards group that is trying to get all USB devices to provide the owners information each time they are "Connected" so that records can be maintained of what data was moved to and from the device.