• United States



by Jon Surmacz

Small Problem

Jul 26, 20042 mins
CSO and CISOData and Information Security

You can take your iPod with you to the mall, the gym, maybe even the library. Just dont take it to work (or into the barracks if youre a soldier in the U.K.).

iPods, the ridiculously popular digital music players from Apple (a company once known for its computers, remember?), have been getting some bad press lately in security circles anyway. Three weeks ago Gartner released a report, How to Tackle the Threat of Portable Storage Devices, which warned companies about the risks posed by iPods, keychain drives and other small gadgets with large storage capacity that connect to computers via USB or FireWire ports. A week later, Britains Ministry of Defense announced that many of those same devices would henceforth be banned from most military areas. What gives?

The technological problem here is not new. Portable media, going back to the original floppy disks, have always presented a security problem because they allow a user to easily record and distribute potentially sensitive information. If theres a difference now, its that these devices are small enough to be concealed in someones pocket and large enough to hold hundreds of megabytes or even gigabytes of data. If youre employees are trustworthy, this may not be a problem worth investigating. If your employees are not trustworthy, then maybe these devices arent your biggest security concern.

But compromising data is not the only risk posed by these so-called unauthorized devices. Gartner also warns that these devices could introduce viruses to the corporate network (again, nothing that couldnt be done already with a floppy or CD).

Gartner advises companies to develop a policy for portable storage devices (which includes awareness training for employees) and manage access of USB and FireWire ports.

Once again security executives are presented with a tradeoff: the convenience of portable media such as keychain drives versus the risks of network exposure. Does your company regulate portable storage devices? Should you start regulating them now? Tell us what you think.