back to article IBM bans Dropbox, Siri and rival cloud tech at work

IBM has banned employees from using Dropbox and Apple's iCloud at work as it claws back permission to use third-party cloud services. The rethink has also resulted in a edict against the iPhone 4S's Siri voice recognition technology at Big Blue. Jeanette Horan, IBM’s chief information officer, told MIT's Technology Review that …

COMMENTS

This topic is closed for new posts.
  1. Kevin Johnston

    Bugger me, I never expected that

    Ah the joys of 'ooh new shiny' ideas from on high.

    You have to wonder how many times this happens in a company before they get ot the clue stick to beat senior management with. Has anyone ever allowed BYOD and made a saving (a real one obviously and not the bean-counter version where the cost of kit is now on someone elses budget)?

    Said it before and will say it again and again, BYOD requires compete overhaul of security BEFORE you allow it in and even then you can get blindsided by some of these apps. This cannot happen for free and in some cases will cost orders more than just handing a corporate smartphone to everyone from CEO to cleaners.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bugger me, I never expected that

      Dropbox and iCloud, what a perfect way to a disgruntled employee to steal confidential information.

  2. JeffinLondon

    Exactly correct. Everyone 'wants BYOD' until there's a breech or a cost issue.

    Management is generally weak and just gives in to the noise.

    1. perlcat
      Black Helicopters

      Noise? Noise?!

      They aren't giving in to the noise. Management generally doesn't give a damn when it comes to what their subordinates want/need/use.

      Management wanted BYOD so they could Bring In Their Own Device.

    2. Blank Reg

      That's the problem right there

      A single breach can cost much more than any potential savings.

      And I disagree about him saying there is no going back. Who's in charge here? If the company decides that personal devices will not have access to company resources they can do it. Sure people will grumble but too bad, grow up and get over it.

      1. The Jase

        Re: That's the problem right there

        "Sure people will grumble but too bad, grow up and get over it."

        Considering its your own device that you pay the line rental for, you have every right to complain if they want to stop you using features on it.

        IBM can just shell out for its employees to have mobile phones then.

  3. Anonymous Coward
    Anonymous Coward

    As an IBMer

    I wish I could say that I've received some sort of communication about this ban. I haven't though.

    My manager's going to be quite upset at the Siri ban...

    1. Anonymous Coward
      Anonymous Coward

      Re: As an IBMer

      Well... its in the documentation about setting up **gasp** Notes on the iDevice. The installed policy/cert just makes it awkward to use - it cant actually block it. The more annoying thing is the password lock, complexity and change rules it puts on it. Now if they could just get SSO working (ha!).

    2. Ilgaz

      Re: As an IBMer

      Why? Does he do searches like "please tell where do we meet with Samsung execs to talk about our Apple policy?" (completely made up) like searches? :)

      If it was general motors or even a large bank, I would understand. I just don't get how can one find a job as manager at big blue and fools around with dropbox, siri, gmail etc.

      1. perlcat
        Black Helicopters

        Re: As an IBMer

        ...and why wouldn't they? They *should* be playing with outside tech, as otherwise, they will be left in the dust interface/application/function-wise. I'd consider them to be more astute than your average member of the Unwashed in learning what else is out there..

        1. Anonymous Coward
          Anonymous Coward

          Re: As an IBMer

          You're making an assumption that all IBMers are the same. Those that you say *should* be playing around with the latest outside tech would be more technical oriented and probably located in the labs. I think (while it doesn't say explicitly) the IBMers in the article that have been using dropbox, siri, webmail etc for potentially confidential information are probably the 'powerpoint slinger' types that want to use their own devices and have no idea about the security of the services that they are using.

  4. John Brookes
    WTF?

    So they make you pay for the device....

    ...tell you how you may, or may not, use said device, then whinge about the cost and the security implications?

    Who actually wins out of BYOD? The employee gets to buy their employer a deliberately-crippled device, the employer doesn't save any money, but does add to its count of disgruntled BOFHs, RIM circles ever closer to the drain, Apple/Samsung/HTC etc don't get any additional revenue (unless the used-for-work device becomes so crippled that the employees have to carry two phones anyway). What's it all for?

    1. Anonymous Coward
      Anonymous Coward

      Re: So they make you pay for the device....

      It's all about driving up the stock price and maximising the exec's bonuses. Hardware replacement cycles for employee laptops and other technology seem to get extended by 6 months or more each year, leaving some poor sods with 4 and 5 year old kit with bits falling off it, that overheats and hasn't the horespower to run the latest corporate standard applications. Eventually user frustration reaches such levels that they will embrace the idea of spending their own money on something that doesn't make them look like poor relations to customer and competitor staff, and they even accept IBM's demands to cripple the new kit with paranoid level security restrictions.

      Glad I'm off that treadmill.

    2. Anonymous Coward
      Anonymous Coward

      Re: So they make you pay for the device....

      Everyone (well, everyone competent, that is) knows that BYOD doesn't save anything and is a security nightmare. But there is a whole new potential for endpoint virtualization, security software and consulting services. BYOD is a new faff used to create whole new market for consulting and security companies.

    3. Anonymous Coward
      Anonymous Coward

      Re: So they make you pay for the device....

      Actually, a substantial number of employees appear to win from this. My employer won't spring for an iDevice, but a fairly large number of my colleagues are (astonishingly enough) very happy to buy their own for use as a work tool.

      Don't quite get that mentality, but whatever floats their boat...

  5. Anonymous Coward
    FAIL

    awesome quote from Horan.

    "An internal survey of IBM workers discovered they were "blissfully unaware" about the security risks from popular apps, according to Horan."

    If I were a competitor of IBM, I'd find the original, in audio if possible, and show it/play it to every purchasing manager where I was bidding against IBM Global Services (or whatever they're called this year.) But I'm not, so I'll just have another laugh.

    1. JEDIDIAH
      Linux

      Re: awesome quote from Horan.

      Chances are that any direct competitor to IBM has precisely the same failings.

      1. Anonymous Electronic Warfare
        Go

        Re: awesome quote from Horan.

        The Average Corporate Drone has the full range of Virus APIs readily installed:

        * XP running as Administrator (the drone this s/he is protected by the virus scannor)

        * Flash

        * Java Web Start

        * Acrobat Reader

        * MS Office

        * comprehensive, up-to-date LinkedIn profile

        * SSL connections allowed to basically anywhere. No SSL-MITM in the browser. Blind Firewall.

        So all you need to do is to build a Java/Flash/Office exploit, write a nice spearphishing email and then lob the spear. Extract gigabytes of data via Google mail/SSL. Index all connected drives and incrementally discover all the juciy stuff. Conceal your traffic by observing the drones traffic and blending in. Put your malware on shared drives to infect even more drone computers.

        1. Anonymous Electronic Warfare

          Correction

          "(the drone THINKS s/he is protected by the virus scannor"

    2. Anonymous Coward
      Anonymous Coward

      Re: awesome quote from Horan.

      Are you serious? It would not be a great plan to criticize IBM for not taking security seriously. IBM has one of the most sophisticated security frameworks in the world, even as compared to governments (which IBM probably also designed). If EMC RSA, HP (the leak kings), Symantec, etc want to compare security architectures with IBM to impress a customer, they will have made a big mistake when IBM pulls out "Minority Report" level security gear.

      1. Anonymous Coward
        Anonymous Coward

        Re: awesome quote from Horan.

        I still think it was an awesome quote (i'm not replying only to you).

        If IBM is trying to sell me a security solution and their competition comes in with a quote from IBM's CIO that says, in effect "Our employees don't understand security implication of ...," what am I supposed to think? That the CIO is an idiot? Possibly. Or that /some/ of their employees are idiots about something? Guaranteed.

        Actually, I don't take downvotes personally, but I don't collect them, either.

  6. Mr. Great Sage
    Alert

    Dropbox and security

    I actually just finished an analysis of Dropbox for the office I'm in. There are some obvious security concerns with this particular app. I seem to recall them doing an 'update' not to long ago, that had the unintended consequence of leaving their accounts wide open for anyone to access.

    Right now I have the good folks in charge trialing out SpiderOak. They heavily encrypt all the data 'before' transferring it to their servers.

    1. Ilgaz

      Re: Dropbox and security

      I don't get how do they make money or able to afford the bandwidth/ storage.

      That is enough reason for me, as a basic end user to stay away from their services especially when I can setup my 1TB+ webdav or ftp(s) server even on Windows client.

      I have no clue how people leak our private mails to companies like that for 2gb additional space. Did people, even including IBM guys lose last bits of their common sense?

    2. P. Lee
      FAIL

      Re: Dropbox and security

      What's the business need for dropbox?

      If your IT dept can't manage to do this internally, you need to think about a new IT dept.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dropbox and security

        "If your IT dept can't manage to do this internally, you need to think about a new IT dept."

        Where I work, and doubtless in many others, IT can't even transfer anything [not email, not calendar entries, not files] securely between two sites in the same company, and unauthorised workarounds are the order of the day for actually getting things done, because the IT department "solutions" do not meet genuine business needs.

        If IT departments provided authorised "solutions" that were easier to use (and, behind the scenes, "better") than today's corporate IT junk, solutions that were easier to use than the unauthorised alternatives, people would work WITH the IT department rather than working AROUND the IT department. But many of them don't.

        One day, sensible people will return to thinking that IT should serve the business, and IT departments are a cost just like any other overhead. Today, the emperor's tail is wagging the dog. Style of thing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dropbox and security

          All these consumer tools are for is allowing road warrior types to do stuff they have no business doing in the first place.

          Our lot are meant to work on Citrix via 2 factor login gateway when working from home. So they can access company files, finance and CRM systems etc etc seamlessly - everything is avaialble, on work network backed up and secure. Except they can't be bothered to log in, and our web filtering policy blocks facebook and porn sites so they all want to work locally on 'their' machine. Plus they like their little private speadsheet data silos on their local My documents, hidden from the world and useless to everyone else. Then they get pissy when their 5 year old daughter deletes all their work docs from the company's machine and 'we' havn't backed them up.

  7. Ilgaz

    Anyone surprised?

    You can't even enter a hosting provider with a camera phone, can't take photo with professional equipment at a stinky shopping mall and working for a enterprise giant who wonders around with thousands of patents a year, you will store corporate documents in dropbox!

    Don't they have secure webdav?

    Lotus guys also offer mail client even to Nokia symbian which nobody (including Nokia) care about. So, forwarding your corporate mail to google since your toy has issue with Lotus?

    Man you should be glad they didn't hunt every genius and put them first in "workforce cut" list, to people who are first to go.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anyone surprised?

      Speaking from experience, the Lotus Traveler apps are really awesome (surprisingly great). They are tightly integrated with Droid and iOS. Google and Apple have worked closely with IBM Lotus because, frankly, they want Lotus to be the standard on their phones for enterprise use and not the e-mail and collab from a certain mobile competitor in Redmond.

  8. Anonymous Electronic Warfare
    Flame

    BYOSER

    Bring Your Own Security Risk. That's the proper term.

    But from my experience, it does not matter much. China and the Russian Mafia already hosed all the secretos of the corpos, which isn't particularly difficult when the Drone Computer has all the Adobe and M$ crap installed, ready for exploitation.

    See RSA "Security" and their Paying Victims at Lockheed Porkworks, Marietta, GA.

  9. Don Jefe
    Meh

    Lay Off

    The awful guys managing one of the worlds most valuable brands has proven that bringing your own device to work does not increase performance and might actually hinder it. Geeks love numbers, why do they hate them when those numbers are against them?

    Unless you're in sales and covering several time zones or own the company you shouldn't need access all the time. You should be working smarter when you're on the clock then leave it when you go home. If you can't do that then you are under performing and should get axed like the tossers at HP.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lay Off

      You could also look at that another way and say that IBM management are "allowing" their employees to pay for devices which remove their excuse for not being able to work when they're not in the office - this includes out of hours. My ex employer was very keen on giving us all mobile devices and this was precisely why - so they could call me on a Sunday and ask me to do work.

      I used to break them, deliberately.

  10. Anonymous Coward
    Anonymous Coward

    Love the spin put on this article

    I confess I work for IBM in the UK. Hence the anon.

    This article and the CIO's comments in particular give the impression that IBM is bowing to employee pressure. That is not necessarily the case in the UK. We were told that the crapberries (BB Pearls no one else wanted) given to employees 3 yrs ago are the last. If we want to upgrade/replace said devices IBM will contribute £100 to phones bought from the incumbent supplier vodafone. If Employees don't buy their own then IBM will supply a basic nokia phone at no charge. So this is instigated by IBM not the employees, probably in a vain attempt to reduce costs. They tried a similar con on Laptops a couple of years ago. If you want a laptop that has higher spec you pay for it on a lease and you own it at the end.

    Meanwhile they are all (phones and laptops) subject to IBM restrictions and configurations so they get well and truly nobbled.

    1. Ilgaz

      Sorry I don't get it

      So you can buy a cheap Android, logon to IBM Intranet and play ad supported games on a device which also happens to have msdos format (thanks to that idiot at google) sd card?

      Did I become a dinosaur or these guys really lost it?

  11. sueme2
    Big Brother

    if

    If IBM have done this, I suspect they have been stung. Possibly they have not, but it sounds like they found a leak, or know of a leak. It is sort of like using a search engine which retains all data about where you shop, what you buy, and how you pay, and where you bank, and that you need a cab, and ....

  12. Merefield
    Stop

    BYOD does NOT mean use insecure services

    Wait a second here - proper corporate use of BYOD is via secure client apps which never store corporate data on unauthorised external entities and allow the user to connect to internal data storage and services such as corporate email using secure communications.

    It is common sense to discourage or prohibit employees to store company data on personal cloud space, send business emails to personal webmail account, or pass company information through external services.

    This is not new - staff of large companies have been told not to use Google translate for business purposes for years!

    This has nothing to do with BYOD, its about having a proper security culture and the right tools in place for staff to be able to work full within the boundaries of the companies systems.

    BYOD is a healthy revolution, but you have to do it professionally and right!

    1. Anonymous Electronic Warfare
      Flame

      muhahaha

      Let me educate you, boy. An "employee device" is by definition under the control of the employee and 99,5% of corporate workers (let's simply call them Drones) have absolutely no clue about security risks. They will download Skype from Softonic, which is a peddler of malware - not from the official Skype site, because softonic might be quite high in the Google hitlist. They will use dubious Android appstores and equally download malware via this route. They will install "cracked" versions of payware (because M$ office is "cooler" than Abiword/Gnumeric). This stolen software will certainly contain some high-quality russkie virus.

      And now you are saying that these virus-infected devices should "connect to internal data storage ". You fancy that the corpo is safe because the data won't be saved locally by the legitimate (!) client software. What makes you think the virus will give a rat's ass about that ? The virus will happily make screenshots of the confidential data, will store it locally if it so choses and certainly will siphon off the data via SSL to a set if Google Mail accounts under the control of the virus creator. It will also nicely index all the mounted confidential data sources, so that the attacker doesn't have to download all the crap he is not interested in.

      And then, China Competitor Corporation will have the Corporate Secrets on a Gold Plate. Yeah - Bring Your Own Shit !

    2. Anonymous Coward
      Anonymous Coward

      @Merefield

      Sorry Merefield, but your naivety is astonishing!

      "Anonymous Electronic Warfare" has it right. And to underline the point, would you let an employee bring in their own laptop and give it access to the company domain without so much as a cursory inspection of it's AV software, updates status and general cleanliness? Thought not. Why not treat their smartphone with the same suspicion?

      Furthermore, don't go imagining that a set of rules and procedures will save the day. Within any group of employees there is bound to be at least one person stupid enough to ignore them.

  13. Gil Grissum

    The whole BYOD issue is a mute point for me. I'm hourly. If it's not 9am to 5pm Monday thru Friday, I'm not at my desk on my desktop PC and therefore, am not trying to access any company e-mail or intranet. If the company I work for required me to access the Intranet or check mobile e-mail they can give me a mobile device to do it with. I'm not cluttering up my personal device with company junk, nor allowing anyone from my company to access or configure my personal device. What are they going to do? Come to you and make you give them your device to configure? Unless they see you using Siri in the office, how are they going to prevent you from doing it. If I worked for IBM, I wouldn't trying to access anything company owned, from my personal device.

  14. Christian Berger

    What kind of real work could you even get done on such a device?

    I mean come on, you cannot even properly do e-mail on those devices, let alone any real work.

    I mean on a real work day I might layout part of a PCB or capture a schematic. This might work quite well on a pen-based device, but there is no software supporting it. And our software from 1998 will never support it.

    Then I might do data analysis. While there a portable device might really be useful, I need gnuplot and awk and the like to do any actual work. At best the device could be a terminal.

    And even if that would work, an overnight batch-job would probably drain the battery into emptiness.

    So at best you get the use of a dumb terminal out of those in real-life situations. Of course there are people whose job it is to pose with the newest device.

    1. Anonymous Coward
      Anonymous Coward

      Re: What kind of real work could you even get done on such a device?

      @Christian Berger

      You might be surprised how much useful work you can do on a modern phone.

      Over the weekend I had a friend around and he got alerted to some server problem or other at work. He used his iPhone to log into the appropriate server using a secure link, identify the problem, fix it and resumbit a batch job. It was quite impressive to watch.

      Oh yes, he had a small electronic gizmo which acts as a one time pad for establising a VPN connection.

      Mind you, neither his iPhone nor gizmo were BYOD. Both were supplied by his employer.

  15. jaycee331

    Respect

    Massive Kudos to IBM for being one of the first in this hyperbole rich industry for seeing through this nonsense and appreciating that cloudy services, and consumerism I.T. are not things that a company with the first clue about information security should be buying into.

    BYOD isn’t about saving money, or being employee friendly. Never has been, never will be. The whole thing obviously started when the VIP’s, who bought their shiny iPad’s on expenses, then went bitching to their IT dept’s like spoilt children as they realised they can’t do anything useful with it in terms of corporate productivity. Could have told them that before they bought it one to be honest. Idiots.

  16. dlc.usa
    Boffin

    Security Must Be Designed In

    But it cannot be if you're in a rush to mashup other people's code that hasn't even been prototyped yet (but don't worry, it WILL be secure--trust us on that).

    As a sidebar, I offer http://www.networkworld.com/news/2012/052512-cloud-security-gartner-259627.html as more proof that Gartner isn't always wrong.

  17. Anonymous Coward
    Anonymous Coward

    For crying out loud. The only reason companies like IBM sign up to such schemes is because those who are doing so gain financially from it. There's no other reason.

    I work for the company (for now) and refuse to fork out for a phone that will be restricted by them. At least with my laptop I can wipe it the moment I get it and remove the corporate crapware and trojans. As for IBM being security conscious, well, even posting as anonymous isn't worth the risk of revealing anything.

  18. Anonymous Coward
    Anonymous Coward

    Just playing catch-up

    My business card carries a certain blue "tla" logo. I work with (a) corporate laptop (IBM -er- Lenovo Thinkpad), (b) a BB 8900 Torch slider with IBM loaded security, (c) a personal MacBook Pro, and (d) iPod Torch Gen 3. The Thinkpad carries a corporate-managed image as is the case for most of us working for companies that care about all this, but it is not as locked down as I have seen elsewhere. (I also expect that to change shortly.) The Lenovo and BB are the "corporate" devices, and the Apple gear the "personal" ones - with minimal overlap. I found it humerous to see the " company-purchased" smartphone context in the article; I had to buy my own thank you very much, although the monthly contract is covered by the company. I believe this hybrid model is the a key focus of the BYOD discussion for CIO's everywhere - how to download some of the IT costs to the employees (especially capital costs for thousands of devices); laptops may be next. "You choose what you want, and connect it to the corporate network; just add our security and live by our rules while at work." Sounds peachy!

    Sometime this Fall I will be able to replace both the BB (by then 24 months old) and iPod Touch (by then 36 months old) with the new iPhone (iPhone 5). The concern I have relates to how this BYOD device works, both inside and outside of of the company. With two devices today, I have limited apps on the BB but 50+ on the iPod Touch; I synch the iPod with my Macbook. If I switch to a BYOD iPhone with IBM downloaded security, what rights do I have to use it outside of work? Can I still sync with a personal laptop for iTunes? As Well Siri won't work inside the office on WiFi, but what about on 3G/4G/LTE? What happens if I leave the company - will the company management software be removed prior to departure? If so, how can they guarantee that the phone has been properly rebuilt? Finally, if I get "infected" by an APP I have downloaded for personal use, what's the implication of this getting out onto the corporate net?

    In short, I suspect these policies will be more difficult to implement and monitor unless I am required to give up more personal device freedom than I would want. I therefore won't be at all surprised if I still have two devices by the end of the year (although one may be an iPad / iPad mini instead of the iPod). I think for most companies BYOD is going to be harder to support than currently believed.

  19. Anonymous Coward
    Anonymous Coward

    As another IBMer

    I did get a memo about this, and also about encrypting data on my IBM provided laptop.

    It's common sense to lock down certain aspects of devices.

    After reading your comments it seems that a lot of people don't understand the need to protect data, or how a modern IT support structure works.

    Don't blame the support guy for protecting your ass(ets)

This topic is closed for new posts.

Other stories you might like