back to article IBM bans all removable storage, for all staff, everywhere

IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” The advisory stated some …

Anonymous Coward

Timing makes this a little ironic

IBM Privileged Users, which some people have referred to, have to use an IBM created Linux platform called OpenClient. These are users who have a need to hold privileged information on their workstations, be it client confidential, personal data or commercially sensitive.

For stock deployments of OpenClient, RedHat Enterprise has been used as the base Linux (although it can sit on SuSE, Ubuntu or Debian), and for a long time the RedHat version has been RHEL 6.

RHEL 6 goes out of support in June, so many IBMers in positions that need secure systems have just been told to upgrade to an OpenClient release based on RHEL7.

The re-installation process, as defined by IBM, involves a 16GB USB memory stick.

So, privileged users, on systems that are not allowed to have USB memory sticks plugged in, have been told to use a USB stick to perform the update, and now company policy prohibits using removable storage at a different level as well! Brilliant.

Maybe IBM should go back to using 3278 green-screen terminals, NOSS/PROFS and SNA. I hear some of the (few) remaining old buildings may still have IBM Structured Cabling for 3270 coax and Token Ring.

6
0
Anonymous Coward

Re: Timing makes this a little ironic

RHEL 6 goes out of support in June, so many IBMers in positions that need secure systems have just been told to upgrade to an OpenClient release based on RHEL7.

The re-installation process, as defined by IBM, involves a 16GB USB memory stick.

I remember hearing a rumor (when I was still there) that IBM was considering moving Priveledged Users to MSWin10. May have been unfounded, but it certainly sounded sufficiently boneheaded for IBM to be doing it.

2
0

Laptops

I wonder if there will be an out right ban on laptops as well... the potential data loss on them is much higher, they aren't lost / robbed as often as usb pens but there are a number of unclaimed laptops dotted across the planet

1
0
Bronze badge

Re: Laptops

It's all about full disk encryption now., so our laptops are safe for now. If we lose that, they'll lock us all in vaults with cameras hovering over us to manage our every little move.

0
0
Anonymous Coward

Re: Laptops

I wonder if there will be an out right ban on laptops as well... the potential data loss on them is much higher, they aren't lost / robbed as often as usb pens but there are a number of unclaimed laptops dotted across the planet

"We're taking away your laptops now. Here's a quill pen and ONE sheet of parchment paper. Use it sparingly. What, you wanted ink for that pen? Sorry, not budgeted for that."

Hey, it's not like they're a high-tech computer company... oh, wait...

0
1

Practically every big organisation I've worked in has had a restriction on non-authorised or un-encrypted removable media.

Frankly I'm a little bit disappointed they haven't been doing this up til now lol.

As much as we'd like to think its not the case, IT workers are not immune to accidents and big business is not immune to corporate espionage.

There are certainly ways to manage this and yes it takes more time and wading through more tape, but ultimately it protects both the user and company.

2
1
Anonymous Coward

Practically every big organisation I've worked in has had a restriction on non-authorised or un-encrypted removable media.

...

There are certainly ways to manage this and yes it takes more time and wading through more tape, but ultimately it protects both the user and company.

And for many other companies it would look like sensible and intelligent security management. But this is IBM, where every day looks like an IT version of The Benny Hill Show. So it ends up being just a bunch of clueless managers drilling a few more holes in the bottom if the ship.

2
0

Neuromancer

The Prophet William Gibson spake thus.

3
0
Anonymous Coward

Great idea - until you are working at a client that also prohibits online file transfers (as I was earlier in the year). At that point you spend the best part of two days trying to get around the various restrictions in order to deliver documents that are larger than the email attachment limit.

8
0
Silver badge

Unless you're the client rep*, if you can't do your job bounce it up the management chain and let them deal with it. That's what they're paid for.

* If you are the client rep, you're probably measured on actually GETTING the job done as opposed to just TRYING to get the job done. In which case - tell your sales manager, who will ALSO be measured on getting the job done. And so on up the tree, until Ginni says WTF - fix this.

1
0
Anonymous Coward

But that depends if the legal team isn't on the same level as Ginni and counters, "Data protection violation! Big fines if you try that!"

0
0
Mushroom

But even the Reg named Big Blue as iBM? Like it was an Apple Thing from the 90s.

1
0

'All'?

I wonder if they've considered that a hard drive is, technically, 'removable storage' - courtesy of the right toolkit, at least :-).

Those absolutes. They'l get you every time. Er, mostly, I mean... (blush) :-).

3
0
Anonymous Coward

fun

Can they use the cloud for storage? Or mail stuff?

0
0
Anonymous Coward

Re: fun

"Can they use the cloud for storage? Or mail stuff?"

Network connections to the outside world will be/almost certainly are monitored by loss prevention software.

All emails and attachments will be scanned, and either passed or dumped..

Encrypted browser sessions from work computers will be decrypted and monitored.

And none of that will prevent data exfiltration. If you can do it for air-gapped computers in another counttry, you can do it for locked down computers to which you have physical access.

0
0
Silver badge

Only surprised it took them so long.

Seems incredible when you think about it that these wide open gaping security holes are allowed in any company.

2
0
Silver badge

Oh this will be good

Can't wait to see the consequences.

*snerk*

0
1

Avoidances of strange rules

Ah, those 'Its Better Manually' people at it again.

Had a classic one with my current employer. No USB, bluetooth, Dropbox, Google Drive permitted. They provide a web-based mail client that you can access off-site. Of course they check all attachments to mails so you can't send yourself a big file, or an executable, or a zip file or anything useful. What they failed to notice was that you could attach one of those files to a draft email at work, save it as draft (of course no checking until you actually send it), go home, open web mail client, open draft and download the attachment.

*sigh*

9
0
Anonymous Coward

Should use Kaspersky

So, yeah really. I manage these things where I work. In KL we block all USB storage devices by default. We grant permission to individual devices by ID. We only use hardware encrypted USB drives. The drive is given permission to an AD group, and people are added to that group. It works great for us. We get both device and user control, which both or either can be revoked at any time.

Trend has the closest to the same features (in my last review for replacement due to paranoid non IT management).

2
0
Anonymous Coward

Re: Should use Kaspersky

F-Secure has similar device management system, though I haven't used Kaspersky so can't say whether it's better or not.

1
0
Bronze badge
Happy

Oh Dear

IBM'll have to VERY careful with the rectal exams but on the upside it will attract that 'diverse' kind of personnel they're always after.

2
0

I am the CISO for a FTSE 100 company and we have had the same policy for more than two years.

If a technically competent person wants to steal data to which they are given any sort of access, they will likely succeed. However, implementing restrictions like this has two big benefits.

Firstly, it forces staff to use a more controllable and auditable approach to data transfer. When our staff share information on Google Drive, for example, they can retain a considerable degree of control over what is done with that data including revoking access and preventing further sharing. My team and also monitor transfers (including examining the content for personal information) and keep a forensic trail. This reduces the risk of mistakes and permits my team and me to examine the circumstances of mistakes.

Secondly, this limits the ability of less technically competent but malicious members of staff to harm our business.

Can I absolutely stop people stealing our data? Probably not. Can I reduce the risk that someone will do something stupid or malicious? I absolutely can and I have. The sky has not fallen in. In fact, no-one really cares.

5
1

Sorry, but that is totally ignorant. Any laptop or tablet has the exact same copy capability as any USB stick, and no cloud system like Google Drive is even remotely secure. Never use the cloud for anything you care about. You really should not at all be CISO. For example, tell me how you remove a rootkit virus without a USB stick?

0
0
Silver badge

Two use cases

My org hasn't allowed USB sticks for several years, and I get it - a flash drive can be the sucking chest wound of security.

My guess is that IBM will do what we do: if you have a business case for using USB, we can make an exception for you. There will be training and documentation involved. Drives will never be used to bridge between internal nets. The USB sticks themselves will be obtained from Central Supply which (theoretically) does due diligence on the supply chain. We have 1:1 accountability between specific sticks and personnel. You lose it, we talk.

Two use cases that work for me: I've got a stash of USB sticks with software, patches, tools that I might need to take to customer hardware. Single use... Once plugged in the customer machine we assume they've got cooties. Crush with hammer or snap in half to prevent reuse, bring carcass back for accountability, and then let the logistician destroy utterly

Use case 2 is to have some sticks with Kali Linux. If weird stuff starts happening on the net, use a single use Kali instance to have a little look around. Again, destroy when done.

2
0

Re: Two use cases

That's fine, but you're likely to destroy a rather large quantity of USB disks. I might suggest using DVDs as much as possible. Not only would they be much cheaper to use even if you destroy them, but you would be rather certain that nobody has modified their contents, which you could encrypt rather easily. Of course, that doesn't help if you need more than 4.3 gb of space, but perhaps sometimes. I've considered using read-only USB devices under some of these circumstances, if only to prevent overuse of hammers.

3
1
Silver badge

Re: Two use cases

I see where you're going, but even physical write-protect switches could be tampered. About the only solution I could see there would require some kind of custom job where a dongle is inserted into the device to write-enable such devices. Given how "cheap as chips" an 8GB drive is these days, especially on a bulk order, the hammer is probably the cheaper option.

0
1
Silver badge

Symptom of why IBM is slowly dying?

Faced with the security issues inherent in flash drives, the IBM we grew up with would probably see this as a golden marketing opportunity. IBM would (over)engineer a fairly secure, usable, well documented hardware/software solution that would ensure file and data portability while maintaining information assurance. It would work well and cost a bloody fortune.

But today we get this risk averse culture that identifies only problems - not solutions.

7
0

dumb terminals

we're heading back to dumb terminals only

server storage and applications

better control, easier security

good for business

dis-empowering for the user

all lusers praise the mighty main-frame

3
0
Anonymous Coward

Re: dumb terminals

But suppose you're a field agent...at an air-gapped system?

0
0

"Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. ®"

I am not sure that the ban covers that. You need a USB key or CD to install Windows too.

0
0

International Beancounter Mismanagement

One of the dumbest things I have ever heard, because obviously any laptop, tablet, portable drive, etc., can do all this as well, and the very least secure means of file sharing is the cloud, the way IBM WANTS it done.

Somebody really does not understand computers.

When you share on the cloud, everyone between you and the source can make a copy easily.

1
0
Silver badge

Re: International Beancounter Mismanagement

Unless it's THEIR cloud, and the laptop can't access any other cloud, have you considered?

And how can everyone between you and the source make a copy when it's encrypted in transit through things like VPN connections?

0
0
Mat

Shamla Naidoo

Surely that's a 'Star Wars' name....

0
0
WTF?

Easy options

You're missing the easy answers;

1) If IBM engineers aren't allowed to use USB sticks, then they can just outsource the maintenance to a 3rd party who do use USB sticks - ie, me! :-)

2) They can always revert to CD's for installations and upgrades, most servers do still have CD drives.

3) They are going to ban laptops, cameras, wifi, email and internet access next, that will really help improve security :-)

Chat soon.

4
0

Poorly thought through

The webcam in pretty much every laptop I have worked on is USB attached, is a storage medium and therefore automatically contradicts this directive... As IBM wlll have to provide the work laptop (not may out there without Webcams) or BYOD clear the private useage one (almost certainly likely to have one fitted), to then sack or discipline any user would be questionable and lead to claims under Constructive Dismissal ( well in the UK anyway)..

0
0
Anonymous Coward

Re: Poorly thought through

"The webcam in pretty much every laptop I have worked on is USB attached, is a storage medium and therefore automatically contradicts this directive... As IBM wlll have to provide the work laptop (not may out there without Webcams)"

The webcam is easily fixed with a pair of wire cutters and a screwdriver. If not, buy a different laptop.

0
0
Silver badge

Re: Poorly thought through

When IBM built their own laptops, and for a few years after the sale of the Thinkpad brand to Lenovo, IBMers working in secure environments within IBM, or on customer's own secure sites (generally those requiring some form of government security clearance) had to have Thinkpads without webcams.

Now they are buying from third parties, they do not have the control over the devices they can get (and they don't want to have laptops built to their specification) so the users are instructed to cover the camera lens.

In addition, phones with cameras used to be banned (if you had one, you had to leave it outside of the secure area). Now, as IBM no longer buy phones for their workers at all (the worker provides the phone, IBM provide a SIM) the prohibition is that you must not use a camera within one of these secure areas.

All in all, less control rather than more.

0
0

Removable storage

Its in more devices than is apparent i.e. take hundreds of images for work projects so now how do you get them accessible to add to your training document?

Phones and other Camera like devices OK so say you set up some form of authorization whats to say the installed memory in the "device" is the same as that which was authorized i.e. change out the removable memory?

Just going back to laptops the hard drives are removable as are the ram chips.Yes a tad more fiddly to do but just the same risk apparently.....

It may not be as common these days on laptops but a second drive could be installed in place of the removable CD drive for extra storage.Is this not removable?

Making security so unworkable for the end user just makes people more inventive to circumvent it i.e. as mentioned using bluetooth.

Using a mobile phone to proved a phone connection to a laptop does this not count as adding an external media connection [in more ways than one]?

0
0
Anonymous Coward

Re: Removable storage

"Just going back to laptops the hard drives are removable as are the ram chips."

Which is why the system unit is locked and there is an audit mechanism to detect opening.

0
0
Anonymous Coward

Re: Removable storage

Wonder how long it'll take for someone to find a way to remove the drive without tripping the audit mechanism. AFAIK, no one's found a foolproof audit mechanism yet, and an internal IBM laptop could be consider a high-enough-value target to expend effort into exfiltration.

0
0

Who knew

Who know IBM would worry about "possible financial and reputational damage".

2
0

Is IBM anything but a bellwether for business-crippling mistakes?

When you find your company making the same sad business decisions that IBM makes, it is time to pull the handle on the ejector seat and punch out of there. IBM is your stoner friend who lies on the sofa all day watching Netflix and eating brownies -- when you even accidentally find yourself making any choice that he would make, you need to immediately reconsider.

3
0

What are they going to do when their monitors also connect via USB? It's going the way that everything is. Soon you won't be able to just turn it off.

0
0
Anonymous Coward

"What are they going to do when their monitors also connect via USB? It's going the way that everything is. Soon you won't be able to just turn it off."

BIOS/UEFI lock to prevent anything other than encrypted video from going out to the monitor.

0
0
Anonymous Coward

Merely a symptom of dysfunctional management

Arbitrary mandates that micro-manage operations in arcane ways with blunt instruments are imposed because management does not or cannot trust its staff. It's culture, and it spells doom, albeit probably by a long slow decline.

2
0

"UPDATE: Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions."

I can totally see IBM sysadmins lugging around a USB stick epoxied to a chain, which is attached to a brick in the future.

You know, like those gas station bathroom keys...

0
0
Anonymous Coward

"I can totally see IBM sysadmins lugging around a USB stick epoxied to a chain, which is attached to a brick in the future.

You know, like those gas station bathroom keys..."

Won't work, too heavy, people will put them down.

You have to use an exotic alloy chain, permanently attached around a wrist, no more than 2 m long, permanently bonded to the USB key. They cut it off when you leave the company, or if it needs to be replaced. Maximum of 4 USB sticks (one per ankle or wrist).

Amputation without authorization would be cause for dismissal.

0
0
Bronze badge
Happy

IBM

A suggestion. Look under all the prayer rugs that will suddenly appear.

0
0

Honestly, I thought that IBM was trying to solve a different problem: employees finding malicious drives and plugging them into company resources. This would be an excellent deterrent for exactly this type of attack, which is, sadly, still extremely effective.

0
0
Silver badge

Bah!

How do they deal with the mobile storage everyone keeps inside their skulls?

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018