Cyber Eye: Consumer technologies present fresh headaches for net administrators
As the distinction between personal gadgets and enterprise tools continues to blur, more consumer products are being introduced into the workplace without any formal planning.
Instant messaging and increasingly powerful USB drives are cases in point. Originally conceived as conveniences or personal playthings, both now are valuable productivity enhancements. Unfortunately, each introduces risks as well as rewards because they're often used with little forethought.
This is not a new phenomenon. E-mail probably is the premiere example. E-mail has been around for more than 30 years and has been a given in government and private-sector offices for a decade. But administrators are only now getting their arms around the problem of managing this resource. Wireless networking is a more recent example, rife with potential and peril.
Instant messaging probably is being adopted at an even faster rate and with no more planning, according to an annual study by the American Management Association and the ePolicy Institute.
The 2004 survey of 840 businesses showed that nearly a third of respondents use instant messaging in the office, the great majority of them'94 percent'for work-related purposes. But only one in five organizations had a written policy governing instant messaging and only 6 percent retained and archived IM business records. Only about 10 percent of organizations monitor or manage IM traffic.
Without adequate management and monitoring, instant messaging provides an unguarded back door through which viruses, worms and spyware can enter, and through which sensitive and inappropriate information can leave.
There are no similar studies on the use of USB drives, but the portable storage devices are small enough and powerful enough that they are becoming ubiquitous on key chains and in pockets. They enable a next-generation sneakernet, a great way to back up and transfer large files.
That means they also are a great way to introduce malicious code and siphon data off at the desktop level, well inside multiple layers of network defense.
There are tools to manage the risks and rewards of these devices. Gateway and internal software is available to keep an eye on IM traffic, blocking it or monitoring it to ensure that it is not being used inappropriately. USB ports can be deactivated and files restricted to thwart the improper use of portable drives. But before you lay out any money to manage these tools, you should first sit down and come up with a policy for how they are to be used.Who's minding the IM?
Nobody is eager to buy and manage another layer of security hardware and software for their enterprise. And policies can be a headache for administrators who often write them only to see them ignored, both by management above and users below. But there is no escaping the fact that if new technologies are not recognized and addressed, administrators risk losing control of their IT systems.
This is just one more phase of the running battle fought by systems administrators and security officers. And the most difficult part of the battle is recognizing the next challenge before someone walks in and plugs it into your system.