News

iPods and like devices pose enterprise security threat, says Gartner

• By John K. Waters
• July 12, 2004

Anyone who needed another example of just how radically network security issues have shifted over the past few years must look no further than last week's recommendation from IT industry analysts at Gartner that corporations consider banning Apple Computer's wildly popular portable music player, the iPod, from the workplace.

The Stamford, Conn.-based research company listed the iPod and other pocket-sized portable FireWire (IEEE 1394) hard-drive devices, such as those from LaCie Group and Toshiba, as well as thumb-sized USB or "keychain" drives, such as the DiskOnKey from M-Systems Flash Disk Pioneers -- and even digital cameras with smart media cards, memory sticks and compact flash storage -- as posing potentially serious risks to enterprise security.

In a Gartner research note, "How to Tackle the Threat From Portable Storage Devices," analyst Ruggero Contu pointed to such "unauthorized portable storage devices" as potential carriers of malicious code and vehicles for data theft. "High data capacity and transfer rates, and broad platform support mean that [these devices have] the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world," Contu wrote.

According to Contu, this "underlying vulnerability" has existed since the release of Microsoft Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically.

"Companies are at risk of losing intellectual property and other critical corporate data," Contu wrote. "Portable storage devices are ideal for anyone intending to steal sensitive and valuable data ... Employees may also be responsible for losing data if they inadvertently mislay these devices."

Gartner recommends that companies ban employees and external contractors from linking privately owned devices to the corporate network, and consider disabling universal plug-and-play functions in enterprise computers, essentially instituting a "desktop lockdown policy" to physically restrict their use to authorized devices.

But Gartner also acknowledged the inherent usefulness of pocket-sized, plug-and-play storage devices. The idea is to establish policies for their use, to implement personal firewalls to limit what can be done on USB ports, to employ products for selectively controlling ports and encrypting data, and to utilize digital rights management technologies.

The bottom line: Businesses that fail to monitor and manage the portable storage devices their employees bring to work are putting themselves at risk. "Managers should advise on the main procedures to be followed for the eventual use of such devices," Contu wrote, "for instance to confirm the need for password and security protection [encryption] of stored corporate data. This will also help mitigate risks from loss or theft."