Who's afraid of portable storage media?
AdvancedForce CEO Vladimir Chernavsky says the latest row about USB ports is part of a bigger debate about how best to manage access to external memory.
In any case, it unleashed a storm.
Many pointed out that open USB ports are not unlike open device drives--and few corporations, if any, ever banned the use of floppies, CDs or zip drives. A surprising number of the published rebuttals claimed that corporate security measures were becoming too meddling and were ultimately ineffective, and that really nothing could or should be done aside from educating and trusting PC users to do the right thing.
Regarding the first point, I'd agree.
Even Los Alamos National Laboratory didn't ban zip drives in the past. It took multiple incidents of removable drives purportedly loaded with classified information walking out the door before the Department of Energy put new policy in place. But what IT organization would like to be in the defensive position that the University of California is now in with its client, the Department of Energy, over this chain of events? This case also illustrates that the problem does not have to be one of information thieves; well-meaning employees going around with sensitive data on removable storage devices are the source of equal or greater risk.
There are more-evolved, easier-to-implement technology solutions that allow system administrators to centrally control the users and times of uploading and downloading through device ports. I wouldn't consider them any more "meddling or impractical" than personal firewalls. By the way, a personal firewall will not protect your network from a threat that walks up to your computer and attacks locally--only when it attacks across the Internet.
Finally, security policy is not meant as a signal to users that they are untrustworthy. It does bring into focus the sensitivity of information and the vulnerabilities of a business and therefore requires enforcement. Someone intent on violating security policy may succeed at thwarting the means of enforcement, but this doesn't mean enforcement is a useless exercise. Like a cone fence around a sidewalk under repair or a turnstile in the subway, it is not so much that the barrier be unbeatable as that it is there.
Just in taking the step to manage access to external memory devices with technology, an IT department is giving weight and substance to its policy. Regarding this threat, the sooner boundaries are set, the better.