IBM recently announced a company-wide ban on removable storage devices, such as USB drives and SD cards, and encouraged employees to use its internal
IBM recently announced a company-wide ban on removable storage devices, such as USB drives and SD cards, and encouraged employees to use its internal file-sharing system. Can a removable storage ban like this improve enterprise security? How difficult will it be for companies like IBM to enforce such a ban?
Regardless of how enforceable or effective a policy may be, enterprises are allowed to create whatever rules and restrictions they want.
However, some enterprises use a governance, risk and compliance (GRC) program to determine which policies should be prioritized and implemented — and that effort is usually backed up with data to justify those policies. These same enterprises may also use previous incident data and industry reports to help understand the risk their enterprise faces.
An enterprise’s policies are a critical part of an effective information security program and are often required for compliance with various laws, regulations and contracts. One part of evaluating how enforceable or effective a policy will be is using a pilot in which data is collected about, for example, the impact and effort required for a method, which can then be used as part of the GRC process. Creating a policy is only part of risk reduction and should include carefully defining the scope of a policy and managing exceptions.
IBM earlier this year announced a ban on the use of removable storage devices and encouraged its staff members to use internal network tools to move corporate data, which is a policy that was previously implemented in limited environments. For some enterprises like IBM, certain devices, software and services are deemed too high risk to allow inside the enterprise and, thus, have been banned.
With the necessary technical controls implemented, a ban like this could improve overall enterprise security, as removable storage devices have often been implicated in different types of attacks. An effective exception process should be put in place to help minimize the impact of the change on an enterprise’s staff that typically uses these devices to install operating systems, recover data or fill some other legitimate need.
Enforcement of a policy such as the ban on removable storage devices can be difficult depending on the technical controls implemented on the systems and network. For example, IBM uses its own BigFix software, which offers Device Control functionality to disable removable storage; however, this requires management software to be installed on the endpoint, which may not be available on all platforms or all devices.
IBM could also use a network access control solution to see if the management software is on an endpoint before the device is allowed on the corporate network.
While all of this will require additional resources to manage, the increased cost should be weighed and evaluated to see if it’s appropriate compared to the level of risk and the resources available to manage the risk.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)