IBM bans USB, SD cards, flash drives and all other portable devices from every office, worldwide

End-to-end encryption is becoming more popular in companies that have something to lose. Still hackable by an adversary with sufficient resources, but tremendously better than allowing random USB access.

2 Likes

Pronounced, “The-evil-i”.

2 Likes

Arguably yes, if the company operates its own cloud and encrypts everything there.

On the other hand, if by “the cloud” they mean Amazon servers, Google services or Microsoft Azure/Office 365, forget it.

I mean, encrypts on the disk storage. TLS doesn’t matter if somebody with a password can access the data (two-factor authentication is an improvement, client-side keys on a cryptocard (USB or SD, whoops!) even better).

3 Likes

If you are consulting with IBM I would hope you wouldn’t ban their corporate cloud. This isn’t them putting their stuff on Dropbox or Google Drive. They have their own server with their own client that they can monitor.

the cloud access replacing it needs to be rock solid

Yet again the ivory tower occupants assume the entire world is flooded with always available internet access (and with sufficient speeds).

3 Likes

Since it is a private business making a decision about security measures, it’s not really a question of assuming always available internet access as it is a question of making sure they have always available internet access where they expect their employees to work. If employees can’t access their cloud servers to get the files they need to work on, that’s IBM’s problem.

Given how many (or even how few) work ‘on the road’ in countries around the world, there are bound to be employees whose momentary circumstances inconvenience IBM by preventing said employees from accessing a cloud. But yeah - that’s IBM’s problem.

You would think that, wouldn’t you? But 18 years of working with large corporate and government clients around the world has completely disabused me of that logical thought process.

That would require that program manager A who has hired the outside consultants talks to infrastructure manager B in order to allow access to cloud storage provider X. But infrastructure manager B has to get approval from Security Manager C who is on leave for 2 weeks. Her replacement isn’t comfortable making that decision, so nothing happens till manager C gets back and then you need to follow up a week later, to find that your request got lost in the backlog.

Security Manager C approves the access and responds to Infrastructure Manager B, who then forgets to follow up with Program Manager A until the consultants are on site and can’t get access to their software / documents / whatever.

PM A gets back to IM B, who then requests that outsourced infrastructure provider D make the change. They need to schedule this for the next change management meeting, and they only meet on Thursdays. But the deadline to get on the agenda is Monday midday. So now the change request is scheduled for 10 days out. At that meeting the external infrastructure vendor asks if Security Manager C approved the change, but she was double booked that day, so didn’t attend and her deputy doesn’t know. So the decision is pushed to the next week. It’s approved the next week and scheduled for the following weekend firewall rule updates.

But when that happens the firewall rule is applied to the wrong protocol / port / location etc. because of a mixup with infrastructure vendor D procuring network services from network provider E. The request is updated with the correct information, goes through the change control process and is done correctly the next weekend.

Finally contractor (me) comes to test access to the Oracle / IBM / MS secure cloud file repoistory, only to find that there’s a group policy / intrusion detection / malware application on the client laptop that prevents using the web UI. So then we start the process of getting exceptions to that.

You may think I’m exaggerating or joking - but anyone who has worked in complex corporate or government environments knows I am oversimplifying if anything.

And, yeah, to the perimeter protection folks, it makes no difference at all if the ECFSSS (Enterprise Cloud File Sharing and Synchronization Service) is Oracle, IBM, Box, Google, or whatever.

6 Likes

Are you kidding? Of course they don’t

When I worked as a systems programmer (mainframe term for ‘system administrator’ because we often also wrote code to augment the OS features), you had to bring a removable drive to IBM’s DSxxxx storage box as part of configuration. The box did not begin with any network connections although you later enabled one for ‘phone home’ support (the box could report errors to IBM via net connection, often the hardware repair guy would show up before you knew it, then install a non-disruptive fix, and go on his way). I am thinking they have to allow that kind of media use unless they’re going to say “hook this unknown disk box up to your internal network so you can ship the config to it”.

2 Likes

I think it boils down to an unfortunate problem: the vast majority of people neither know nor want to know how computers work, or basic principles of online security for that matter. Whether it’s someone scattering thumb drives around a parking lot or sending links to people to watch a cool video of dancing pigs, too many people will do the wrong thing.

Thus, you wind up with corporate policies that range from merely dickish to downright insane. Side effect: now you have a lot of people doing their damnedest to work around the restrictions that have been heaped upon them, leading to even more security headaches.

3 Likes

I think you are right - and I would put it down to education and training. Schools don’t teach good practice (at least not the ones my nieces and nephews attend) and generally demonstrate the worst practice.

And companies just assume everyone knows how to use a computer and don’t provide training or guidance (beyond a 12 page IT policy document that you sign on your first day and never see again).

Most organizations just rely on the “all staff” email once a quarter reminding people not to do X or Y and maybe passing out coffee mugs or coasters or mouse mats with security “advice”.

It’s a problem that is only going to get worse before it gets better

1 Like

I think a RPi 3 or newer will netboot off of it’s ethernet if it has no SD card, but none netboot off of the WiFi (I’m guessing they are to complex to drive out of the ROM they had available). Once you do that all the “disk access” is going to end up remote also, which will suck a lot.

You can also configure them to boot off of a USB SSD or USB Hard Drive though. Maybe they escape the ban if the USB device is larger then most people’s pockets?

Alternately I could imagine any storage “sealed inside a case” might be allowed, even if it is a SD card (and yeah, most RPi cases allow access to the SD card, but you can definitely 3D print, and I assume buy ones that don’t)

1 Like

Edward Snowden would agree I am sure.

I used a USB bridge when I worked in a secure, airgapped environment. The business required it and we knew what we were doing. Head office mandates these things and they have solutions available which might take six months to set up and cost a few million a year. At the same time you have to get stuff done right now or you don’t have a business.

So we hack stuff and removable storage is a good way to do that.

1 Like

I remember being at the product announcement when IBM first announced this sort of malarkey and told clients that they would not need on-site CEs (Customer Engineers - IBM’s mainframe hardware wranglers) permanently hanging around in their data centres any more drinking their coffee. A few decades later I still await the consumer freezer that will tell the maker when the thermostat gets a bit dodgy / washing machine that will detect when the pump is about to fail / etc, and replace the part before it fails, and all I get instead is the internet of shit things talking to people I do not trust about all my domestic arrangements. Sigh.

1 Like

That’s not gonna stop the higher ups from throwing the peons under the bus when it doesn’t work.

1 Like

ok that’s a little condescending. Then again, I’ve never worked anywhere that blocked Pandora so maybe you’re used to a more paternalistic style of interpersonal interaction…

Depends on where you work. In aerospace or defense, everything is blocked by default. If they can’t scan the content it doesn’t get on to their LAN.

1 Like

FYI the source of this story is not PC Mag, it is The Register. You’ve reported the secondary source.

1 Like