Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk)

Posted by msmash on from the in-the-meanwhile dept.

An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.

8 of 167 comments (clear)

  1. Lost Productivity by zmaragdus · · Score: 4, Interesting

    But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

    --
    (((dB)))
    1. Re:Lost Productivity by PA23 · · Score: 4, Interesting

      My company does similar. When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only. If you say "Don't encrypt" then you are limited to Read only on the device, this is so we can download data from a client.

      At least our company has a procedure for obtaining an exception to the encrypted usb drive rule if you can justify it.

    2. Re:Lost Productivity by supremebob · · Score: 4, Insightful

      IBM is way too cheap for that... they would make him apply for a one off security exception to use a thumb drive explicitly with his old ass spectrum analyzer.

      He would still get to sit on his ass for two weeks while it got the necessary management approvals, though, and another week while IT figured out a why to circumvent their new security lockdown software without triggering nasty warning e-mails to his manager.

      But don't worry, those changes will magically disappear during the next software update, and he'll have to explain this to his NEW manager a few months down the road. Assuming that they don't just outsource the job to China first.

    3. Re:Lost Productivity by kelemvor4 · · Score: 4, Insightful

      But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

      We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.

      It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.

    4. Re:Lost Productivity by Baton+Rogue · · Score: 4, Informative

      Each USB device is identified independently of each other. If you plug in a USB keyboard that also has a USB port with a flash drive plugged in, the computer will see two different devices and only lock out the flash drive.

      If you are suggesting that someone can create a flash drive that the computer thinks is a keyboard, then the computer will not mount the drive to be written to since it knows that it cannot write data to a keyboard.

  2. Re:Do this and I can't do my job... by Anonymous Coward · · Score: 4, Insightful

    If you were actually in IT, then you would know that these rules apply to sysadmins in the same way that saying "stay of the couch" affects your cat's behavior.

  3. Re:Not to worry by hey! · · Score: 4, Funny

    You're supposed to us IBM Cloud Services to leak data.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  4. Re:I guess nobody told them by The-Ixian · · Score: 5, Insightful

    It's super trivial to export data for someone already on the inside.

    I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.

    And yet they offered PuTTY in their user-allowed, self-service app portal....

    SSH tunnel to my home network (along with whatever TCP redirects I wanted)....

    Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.

    --
    My eyes reflect the stars and a smile lights up my face.