Tuesday, April 10, 2007

iPods and Security

Cara Garretson at Network World published a great article today, titled Can an iPod bring down your company?. If you haven't read it already, I recommend it.

Of course, where data theft is concerned, iPods are only a specific risk due to their ubiquity. There are many other ways to steal data aside from using an iPod. The fact that seemingly every employee or visitor to a company has an iPod possibly makes it more convenient for a someone to steal data out of opportunity, but it is doubtful that iPods themselves truly present a threat. Banning iPods (or controlling whether people can download data to them) may help to keep the honest (and perhaps technically illiterate) people honest, but would do very little to protect against dishonest people.

Having said that, I do disagree with what Tom Scocca says on page 2 of the article: "Controls targeted at these devices should be based not on the type of device, but on the risk that companies are willing to accept by allowing any type of external storage device into the environment." I disagree with his assessment because the type of device certainly does matter! For example, iPods are charged by plugging them into a computer. (Yes, I realize there are alternative methods of charging iPods, but almost everyone charges them this way). Therefore, not only would it not be unusual for an employee to have an iPod plugged into his or her work computer (and therefore would not raise a red flag with a supervisor or co-worker), but merely having a large-capacity personal storage device plugged in may be enough to tempt that otherwise honest person into stealing information that they otherwise wouldn't have.

A dishonest person or one who really wants a specific piece of data is probably going to get it even without an iPod. Email, FTP, data keys, memorization, camera phones, print-outs, or whatever all put data at risk. If someone can see your data, it is at risk. If someone can't see your data but can access it (for example, an encrypted file can be located but not opened or viewed), it is at risk. David Jordan sums it up nicely at the end of page 2: "We have to rely on our trusted employees." Very true, even if his assumption, that because users agrees to an AUP when they logon they are therefore trustworthy, is assinine.

When speaking of "data" or "information" theft in these scenarios, a couple of seemingly obvious things are typically overlooked by the analysts. They never seem to mention the risk of a person stealing actual software itself. They never seem to mention the productivity loss caused by an employee doing personal work on the company's machine. They never seem to mention the risk of an employee simply downloading files from the Internet all day and copying them to his or her device when they leave for the day. They never seem to mention one of the most obvious risks of all -- that of an employee copying data from the device to the computer and therefore putting the company at risk of security vulnerabilities, lost productivity, liability due to unlicensed software being installed, and much more.

And its not just the analysts who miss the point -- Cara's story is based on or inspired by a press release put out on April 6 by a company that just so happens to sell end-point security software designed to protect against the iPod threat. It was a brilliant piece of PR that garnered a lot of attention. But the press release does miss the point: of course end-point security is a good thing, particularly these days when not a week goes by without a news story of yet another company suffering a major data breach, but it is foolhardy to think that data breaches will be completely stopped by implementing such a solution. According to the company's press release, "the company now believes that the use of iPods for "Pod Slurping" could be one of the biggest "Pocket Fraud" assets for rogue employees to store a variety of confidential data and should be banned until proper policy enforcement capabilities are in place. Well, yeah, of course they believe that! But note the "rogue employees" comment; you're not going to stop a rogue employee this way, but perhaps you will succeed in stopping the otherwise honest employee from making a mistake. You are very likely to succeed in turning off your own employees if you jump to irrational conclusions and don't think it through.

The decision to ban iPods or implement a security solution is one that many organizations should consider, but it is a decision that must be made carefully after weighing the social and monetary costs and benefits; it should not be made irrationally based on an interested party's press release!

2 comments:

Unknown said...

Brent:

You bring up some very interesting and valid points. When one looks back at the progress of technology and its use in controlling the production and dissemination of information, there have been several moments in time where the industry players predicted a "revolution" or "doomsday moment", when in fact nothing of the sort occurred. When photocopy machines were first introduced into libraries, publishers were in an uproar claiming that people would just photocopy books without paying for them, causing the book industry to collapse. Not only did this not occur, but the book industry is larger now than it ever was.

When Video Cassette Recorders (VCR's) were invented, video media producers and broadcasters viewed them as technology that would be used to contribute towards copyright infringement. This belief led to the lawsuit between Sony Corporation vs. Universal Studios Inc. In 1984, the Supreme Court of the United States found that VCR manufacturers (in this case, Sony) were not liable for a user's copyright infringement.

Both these examples support your “Honda Civic” analogy, in that they illustrate that the plaintiff focused on the technological medium that was being used, rather than the larger social dynamic at play. The book industry was not overthrown by photocopy machines because book publishers provide a more cost-effective solution; photocopying a book is a time-consuming activity that results in a poor reproduction. Book readers demand quality items, hence the price difference between hardcover and softcover texts, and the increasing demand in the quantity and variety of book titles.

I agree with you when you say that iPod's are not the only medium that can be used to compromise the security of corporate data. In fact, I would argue that there are more efficient and effective methods of data espionage. With the data storage capabilities of USB drives increasing, and their form factor reducing, USB drives are much easier to transport and conceal. I am of the belief that the author of the article decided to focus on iPods because it was more likely to gain industry and search engine attention; anything with “iPod” in the title tends to be placed into the spotlight.

I also believe that technology does not drive social directions, but that it is instead the other way around. Just because there is a technological innovation that may, for all intents and purposes, be an advancement over a previous method, its success is not guaranteed. If its role and function does not align with the values and expectations of society, it will fail. Case in point is the hype that surrounded the ebook industry, which was supposed to again spell the end of the printed book. Yes, ebooks are cheaper to produce, ship, and purchase, however, most people who read still prefer a printed book. Ebooks failed because publishers expected that technology would drive the social directions and needs of their readers.

In the same way, while technology may enable employees of a corporation to use their iPods for data theft, the fact of the matter is that technology, and its uses, is a product of social direction. Missile technology has been used to create weapons of mass destruction, and has also enabled man to reach the moon. Technology itself has no intrinsic moral or ethical value; it is the way in which we employ the technology that influences its social value. Therefore, iPods themselves hold no threat to corporate data, since the true influencer of the safety of corporate data lies within the moral and ethical base of an organization's employees.

Brent Smithurst said...

Thanks for the comments Dheeraj. Very astute, as usual. A free copy of Device Filter Mac is on its way to you...