[ISN] Mobile Data a Moving Liability

From: InfoSec News (alerts@private)
Date: Thu Dec 06 2007 - 02:03:36 PST


http://www.darkreading.com/document.asp?doc_id=140698

By Terry Sweeney 
Dark Reading
December 5, 2007

SAN FRANCISCO -- By his own account, Tory Skyers lives on the edge -- 
the storage edge.

He defines that place as the point in the enterprise network where any 
kind of mobile device contributes content to the SAN. This device menu 
runs the gamut from iPod, to Zune, PSP, Treo, Blackberry, Psion, laptop 
or desktop computer, USB flash drive, and external hard drive, to name a 
few.

He uses two incentives to get unthinking users to follow policy or stop 
doing dumb things. "Fear and money are great motivators," he told an 
audience here at the Storage Decisions conference this morning.

"What is that data worth to you on your laptop, on your iPhone -- in 
monetary terms? What if you didn't have your contacts list saved?" said 
Skyers, senior systems engineer for Prudential Fox & Roach Realtors. 
That typically gets users thinking.

He cited a recent example of an executive who wanted to store his iTunes 
directory on the company server. "I showed him that it would cost $670 
per user for every 14 days of storage for that iTunes volume," Skyers 
said. Factor in five other users at more than $1,300 a month and 
suddenly it gives users a more concrete incentive to set an example and 
enforce such acceptable use policies within their workgroups, he added.

IT should not be immune from enforcement, Skyers said. Consequently, 
when he wants to take a gander at jpegs of loved ones or work on a 
personal document, he plugs in the 8-Gbyte USB drive he keeps on his 
keychain and none of it gets backed up to company servers.

Skyers encouraged storage pros to do some social networking of their 
own.

Reach out to the marketing department to help come up with catchy ways 
to get people to be smarter about what they save and how they use the 
Internet.

If the legal department hasn't already thought it through, remind them 
that the Bank of America got fined millions of dollars daily for its 
inability to produce emails. Ask human resources to get involved to give 
the policy some teeth, whether it's a reprimand or something more 
draconian. "They enjoy that," Skyers said, to appreciative nods from the 
audience.

He also encouraged more intra-departmental discussion within IT. "How 
many times have you heard, 'I'm a security guy, I don't wanna look at 
your hard drive'?" he asked. Those are conversations that businesses of 
all sizes need to have to make sure artificial fiefdoms don't compromise 
the company.

IT can also step in and create sanctioned alternatives like memberships 
to P2P file-sharing services that operate legally. And they can get more 
proactive by deploying desktop management programs like Desktop 
Authority and Powerfuse, which limit user's ability to store outside 
permitted folders, and restrict executables like Google Search, Skyers 
said.

Other controls, like SurfControl Mobile Filter, limit access to certain 
Websites and protocols when the user is outside the network or VPN, and 
prevents downloading unauthorized data content.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 02:12:52 PST