Slashdot Mirror
IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk)
An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.
If you were actually in IT, then you would know that these rules apply to sysadmins in the same way that saying "stay of the couch" affects your cat's behavior.
IBM is way too cheap for that... they would make him apply for a one off security exception to use a thumb drive explicitly with his old ass spectrum analyzer.
He would still get to sit on his ass for two weeks while it got the necessary management approvals, though, and another week while IT figured out a why to circumvent their new security lockdown software without triggering nasty warning e-mails to his manager.
But don't worry, those changes will magically disappear during the next software update, and he'll have to explain this to his NEW manager a few months down the road. Assuming that they don't just outsource the job to China first.
It's super trivial to export data for someone already on the inside.
I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.
And yet they offered PuTTY in their user-allowed, self-service app portal....
SSH tunnel to my home network (along with whatever TCP redirects I wanted)....
Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.
My eyes reflect the stars and a smile lights up my face.
But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!
We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.
It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.