Tuesday, July 06, 2004

the next bright idea in the name of security - ban iPods in offices

p2pnet.net - Ban iPods at work

This is just brilliant. The article quotes a ZDNet UK article saying people shouldn't be allowed to connect private storage devices such as keychain USB drives or iPods to their work computers. There are two primary reasons for this: the devices may contain viruses which can damage the network, and the devices can acquire sensitive data from the work computers.

The first of these reasons is ridiculous. You need to have company-wide anti-virus software kept up to date constantly by a central server. Any other setup for other than the smallest companies is inexcusable. And if you have that, it's as much as you can realistically do anyway. Your employees are still going to check their email and browse the web at work (unless you ban that too; I realize some people would like to do that). But if you really want to be secure, install a firewall on every computer and train your employees to use them - they keep any unauthorized program from reaching across the internet, and don't require virus updates. There are good ways to be secure, but making it a pain in the ass for people to take work home or listen to music at work is not one of them.

The second reason is ridiculous. First, if an employee wants to steal data and screw the company, a regulation against taking an iPod to work won't stop them. Even if you strip search them to somehow guarantee that they are complying with the regulation and aren't carrying any unauthorized devices, they can still most likely transmit information across the internet. And some information can be written down on paper or even committed to memory. You have to trust your employees to some extent.

Now, you can combine the two reasons and actually create a scenario in which using an iPod could make your computer less secure. Consider a brand-new virus, too new to be caught by virus definitions, which infects a home computer, spreads to the user's iPod when synching, and then spreads to the work computer when synching there. The virus does not attempt to access the internet, so the firewall is not triggered (and remember, it's too new to be caught by virus scanners); instead, it somehow locates sensitive data and pulls it from the computer, storing it on the iPod. Now, when the iPod is returned to the home computer (which is less likely to have a firewall), it uploads the sensitive data to some other place where it can be used.

This is of course completely ridiculous, which is exactly my point. And, of course, if you provide free firewalls for your employees to use at home, and they're already trained to use them, a firewall at home would prevent the data from being sent anywhere (and it would still be a secure setup).

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home