by - July 9th, 2004
Oh no! They say he's got to go
Don't go iPodzilla!
(With apologies to Blue Oyster Cult)
Bill is an IT manager for a large company that makes self sustaining, counter-rotating mucus ratchets.
Several of Bill's coworkers enjoy using their iPods while designing mucus ratchets, or e-mailing customers. Some want to use their iPods as temporary storage so that they can ferry files home, allowing them to work on improving the self -sustaining aspect of the mucus ratchets while munching on dinner, and so, allow the company to stay ahead of the its competition. Other workers use other portable storage devices as well for the same purpose; cheap USB RAM drives, USB and FireWire based hard drives, and other small and very portable devices can be easily had, and their benefits are obvious.
According to some recent articles on the Net, the iPod and other devices pose a threat and a dilemma for Bill: By allowing the users of the network he manages to use their iPods and other devices as data carriers, Bill opens his network to viral threats, nasty worms, and the possible data theft. Yet Bill cannot deny that the users of his network gain benefit from using iPods and other similar devices as mobile storage. Bill's question, then, is simple, but the answer may be a tough one: Do the benefits of using portable storage devices outweigh the dangers?
The articles I mentioned point to a report, titled, How to Tackle the Threat From Portable Storage Devices, published by Gartner, an IT analysis group that takes a look at the happenings in the IT world and offers advice. After reading the Gartner report I have to say that I am more than a little miffed at how some of the media has misconstrued the report.
First, while the Gartner report mentions the iPod, it only does so once, and only in the context of an example, the media jumped on that single mention of the iPod and highlighted it in article titles as if the iPod were the next Microsoft virus ready to wreak havoc on unsuspecting corporate PCs around the world. Of course, if you read further into the articles it is often, but not always mentioned that the iPod is merely an example of the threats posed by all portable digital media devices.
The whole business about the iPod being highlighted, and singled out as a threat to companies is more overblown hooey than fact. The iPod is only marginally more dangerous a network than your garden variety blank CD. These sensationalist articles may be taken as gospel by the gullible, and some folks may get the impression that the iPod is the IT version of the Anti-Christ, and must be stopped from touching their networks at all cost. The reality is that the problem that the Gartner report highlights, and the media has hyped, is merely an extrapolation of an existing problem, one that most IT managers have most likely already, um, managed.
The Gartner report, in a nutshell, says that digital media devices like hard drive and RAM based music players (example: the iPod), USB memory devices, and small portable USB and FireWire hard drives pose a threat because they could introduce malware, such as viruses, to your network, and that the amount of storage these devices contain could lead to vast amounts of data being pilfered by shady employees and unscrupulous malcontents bent on relieving your company of its lead in innovative mucus ratchet designs.
I'm torqued that the Gartner report homes in on new technology; the simple fact is that the same problem exists anytime a laptop user plugs his computer into your network, or when someone burns a CD to archive or move data to and from home. The problem existed back when diskette were the primary means of transferring data. People put data on fist full of diskettes, CDs, DVD ROMs, and now USB and FireWire memory devices so that they can have the important data on mucus viscosity during the self-sustaining phase of the new hyper rotating mucus ratchet model; data they need while away from the office.
So, what's the real deal here?
The threat posed in the Gartner report is real, but, as I mentioned, it has always existed. The difference now is that the capacities of the portable media has increased dramatically, which means that the scope of the threat has increased. Yet it is still no easier for IT users to do harm to your network by inadvertently infecting it than it was before; viruses, worms and the like are always small packets of code hiding in files, and can just as easily be brought into your network by a 1.5 MB diskette as a 40 GB hard drive. Virus scanners should already be turned on to check out any data source, not just e-mail and the primary drive, as any IT manager will tell you. Only now, the virus scanners have a bit more work to do.
As for the ability to grab copious amounts of data and spiriting it away on a tiny hard drive, access controls should already be in place to curb such activities. If a person is not suppose to have access to sensitive files then he should not be able to copy them. Period. It should make no difference what type of media a person has at his disposal. If he is supposed to have access rotating ratchet speeds, for instance, then he is bound by whatever non-disclosure agreement your company has in place.
The reality is that, if a person does have rightful access to data, there is little, beyond stating company policies regarding the control of that data, that an IT manager can do. Whether that person uses his own devices, or those provided by his company makes little difference if he or she ignores policy for whatever reason. Companies mitigate this obvious weakness in its IT security chain by educating its users, but the fact remains that the end user will always be a network's soft underside.
The Gartner report also suggests encrypting or password protecting data that is to be carried around on portable devices. That's something I wholeheartedly agree with, and not just to protect mucus ratchet data. I firmly believe that the names and addresses of my friends and relatives is data that is every bit as important as any company's sensitive information. It's bad enough to lose an iPod, exposing the people you care about to the chance that their vital information could wind up in the hands of some nut case is not a nice thought, and I hereby ask Apple and other digital media makers to come up with a way to keep private data private. Some manufacturers of USB RAM drives have already thought about security, and now offer password protection of data stored on their devices. Apple should lead the charge to insure that any data stored on hard drive-based devices get the same sort of protection.
Still, locking down USB ports and other such nonsense is a waste of time for any but the most secure networks. What sense does it make to lock down USB ports, but allow the CD and DVD burners, or diskette drives to operate? CDs will hold up to 720 MB of data and takes only a few minutes to create. DVDs can hold several GBs of data; that's a lot ratchet data to be sure, and few people bother to encrypt data stored on these devices.
Even the latest models of PDAs carry enough free memory to be equal to a good size stack of diskettes. IT security must encompass all aspects of your environment, not just new technologies. If there is a concern about someone ripping off ratchet data, all means of copying should be addressed, and done so in such a way as to inhibit initial access when possible, and maybe prohibit any but controlled copying of your data if it is deemed to be that important. Also, many companies already prohibit the use of ANY personal computer equipment or software on the company network. I would venture that a vast majority of IT managers already have controls in place to inhibit or prevent nefarious activities, making this potential mountain into a relatively tiny mole hill.
So, back to Bill and his dilemma: Does Bill really need to worry about the users of his network using iPods and the like to infect his network or transport data? In most situations, no, but Bill should think about making sure that the virus scanners he has in place check for all threats, including portable drives.
And Bill should be mindful of who has access to what data in accordance with the security policies of his program or company. Also, encryption and password protection of and sensitive data is always a good idea. If Bill is a good IT manager then most, if not all of his bases are covered, and his self-sustaining, counter-rotating mucus ratchet data is most likely safe. The only iPod question on Bill's mind should be which model he should purchase for himself.