Readers weigh in: Is the iPod a threat or a scapegoat?

By Cara Garretson, Network World, 04/18/07

The recent articles regarding iPod as a corporate security threat and where responsibility for securing the device lies have stimulated much debate on Network World’s Web pages.

Community

Schwab security story not comforting

Re: Is security an afterthought in virtual environments?

The insanity of Cisco software relicensing

All security forums

Many readers felt we were unfairly singling out the iPod as a security threat, noting that any MP3 player – not to mention USB drives and any other type of removable media – can be used to copy sensitive corporate data without authorization. Yet the fact that Apple has sold more than 100 million iPods separate this product from other MP3 players because of its popularity. What separates iPods from other removable media such as thumb drives is their intent; iPods were designed primarily to play music and videos, while other devices were clearly designed for file transfer. Pointing out their potential for unsuspected misuse, we believe, is doing a service for IT managers.

Here are some samplings from posts that say singling out the iPod as a security threat is unjustified:

The iPod is the threat? How many companies let their employees walk out the door with a laptop? How many let employees visit SSL secured Web sites. These are equally possible avenues of data theft.

---

This is clearly the case of a solution looking for a problem. The spectre of all those iPods out there is supposed to strike fear into the hearts of IT managers and loosen corporate purse strings. The most typical "IT Ignoramus" employee is someone like a clerk, order entry person, low-level bureaucrat, etc. without direct electronic access to sensitive information anyway. I can't imagine a non-defense related company giving middle/upper managers, sales people, engineers, etc. that have access to sensitive data "locked down" PCs, so they can't share information while on the road, or even e-mail pictures of their last vacation to a co-worker.

---

IPods have been around since 2001. USB flash drives have been around even longer. Removable media devices don't steal data, people do. An endpoint security solution is only one part of the component. If you have untrustworthy employees then no software, hardware, "network nazi," or other mechanism will keep them from stealing data, anymore than I can keep people from stealing my stapler.

Other readers felt the stories made a moot point in that every organization should already be monitoring which devices employees attach to their corporate PCs and notebooks, and blocking data transfer accordingly:

People with laptop's are usually entrusted with those devices...they sign IT policies or their systems are locked down to prevent them from extracting data. This does not mean that you let your entire network also be another unsecure security hole! Whether it's an iPod or a damn USB flash disk or even a digital camera... you lock them down altogether.

---

Our laptops and PCs are locked down tight and if the end user requires "admin" access we remotely take care of the problem if they're on the road. Should they require data to share, we take care of it before they leave. Also, low-level employees will come across sensitive material all the time through internal e-mail or other means, most especially "clerks". Your level of security all depends on your organization and the cooperation of the upper management.

---

I work at a company which is either the biggest or nearly biggest company on Earth (depends on your measure). We disabled the USB ports a few years ago, and IT only re-enable them with lots of justification. Why would any company not do this? It's not hard, enforces company IT security policies and should be part of any security strategy. Corporate documents can walk out the door either through printed copies, e-mails, USB mass storage devices, burned CDs or even hard drives being literally lifted out of a machine. Any company not locking down all of these options shouldn't try to shift the blame, and journalists shouldn't confuse the issue either.

---

At truly secure work sites, such as the Y12 or Los Alamos weapon labs, no employee or visitor is allowed to bring onto site any device that can be used to copy classified documents: no cell phones, no iPods, no PDAs, etc. Of course, these actions are only as effective as the discipline of the facility. But companies can, and should, take responsibility for securing their data. I cannot think of any way that Apple could lock-down the iPod without them depriving all users of functionality, whether legitimate or illegitimate.

There were also comments regarding whether corporations should ban iPods from the workplace:

Sheesh...What ever happened to trust between an employee and the employer? If my company told me that I could no longer have my iPod in with me at work, I'd leave it in my car. If they began to tell me that I couldn't even have one on the grounds, I'd think it was time to look for other employment. It's coming around again to be an employee's market. Be careful about how you treat those who do the actual work for your company.

---

Almost all MP3 players have the capability to act as a repository for copying and removing data, not just iPods from Apple. The question really is how do we as managers of corporate technology address the possession of devices of this sort and more importantly end point security? And then at what level of the organization? For us, all plant supervisory and lower staff are not allowed to have any device of this type, that's policy. Also we monitor for the connection of a removable media device to terminals or PCs. But with cell phones, media players and flash drives, how do you stop it without using some sort of end point control? You can't.

---

I'd also suggest a ban on briefcases and other bags of a certain size in the work place. They can not only be used to smuggle sensitive documents from the workplace, but they could smuggle in weapons and explosives.

---

We also asked readers to take two polls on the topic. To the first question, “Does your organization have any security rules regarding iPod use at work?,” 8% of the 48 respondents said yes, 90% said no, and 2% didn’t know. To the second question, “Should Apple bear some responsibility to add security to iPods?,” 88 % of the 60 respondents said no, while the remainder said yes.

The entire collection of postings and poll results can be found here. Feel free to add your two cents.