iPods pose security risk for enterprises, Gartner says

The iPod may be popular, but also poses such a major security risk for businesses, that enterprises should seriously consider banning the iPod and other portable storage devices, according to a study by research firm Gartner Inc.

The devices, using a Universal Serial Bus (USB) or FireWire (IEEE 1394), present risks to businesses on several fronts: from introducing malicious code into a corporate network, to being used to steal corporate data, the Stamford, Connecticut-based research company said in its report "How to Tackle the Threat From Portable Storage Devices," published Friday.

The report pointed to a variety of devices, including pocket-sized portable FireWire hard drives, like those from LaCie Group SA or Toshiba Corp., or USB hard drives or keychain drives, such as the DiskOnKey from M-Systems Flash Disk Pioneers Ltd. Gartner also named disk-based MP3 players, like Apple Computer Inc.'s iPod, as a security risk as well as digital cameras with smart media cards, memory sticks and compact flash.

Gartner advised companies to forbid employees and external contractors with direct access to corporate networks from using these privately owned devices with corporate PCs. Companies should also consider a "desktop lockdown policy," disabling universal plug and play functions after installing desired drivers, to permit the use of only authorized devices.

The report conceded that the devices themselves can be quite useful within corporations, making it "unpractical and counterproductive" to introduce an outright ban.

Companies should take a multipronged approach to portable storage devices, Gartner said, including using personal firewalls to limit what can be done on USB ports. The use of products for selectively controlling ports and encrypting data should also be considered, the company said. Additionally, digital rights management technology should also be used by enterprises that want to protect intellectual property, Gartner said.