Rob Israel likes Apple Computer Inc.'s popular iPod as much as the next guy. But he's not about to let employees plug them into their work machines to download new tunes and videos.
Israel, CIO of the Phoenix, Ariz.-based John C. Lincoln Health Network, an organization of 5,000-plus employees, has long feared that such mobile devices could bring malware into his network. As a result, employees need permission before plugging anything into their work machines. Those who try to do so without permission are blocked by security policy.
"Tons of things can happen with iPods if you don't have the proper security measures in place," he said. "People could take up valuable disc space with music and video uploads, there's a risk of copyright infringement, and you could also upload malware." There's also the risk that someone could load confidential network data onto an iPod, he said.
Israel felt further justified in his security measures this week after Apple acknowledged that some of its iPods had been infected with malware.
Apple said on its Web site that since Sept. 12, less than 1% of Video iPods left its contract manufacturer carrying the RavMonE.exe virus, which typically affects computers running Microsoft Windows.
"So far we have seen less than 25 reports concerning this problem," Apple said on its Web site. "The iPod nano, iPod shuffle and Mac OS X are not affected, and all video iPods now shipping are virus free."
But Israel and other IT administrators doubt this is the last time malware will surface in the iPod, and they recommend IT shops crack down on their use in the workplace. Bringing them to work and listening to music is fine, they say. But network plug-ins should be seriously restricted.
"I have concerns about all devices that employees bring to work and plug into their computer," Paul Asadoorian, lead IT security engineer for Brown University in Providence, R.I., said in an email interview. He agreed the devices could be used to steal sensitive data, and that organizations should use group policy to control auto-run features and USB device drivers, in addition to monitoring network behavior.
Despite his concerns, Asadoorian doesn't ban device plug-ins all the time.
"As long as they are legal downloads and this activity has been deemed appropriate with the employee's supervisor and doesn't violate the organization's policies, I see no problem here," he said.
Israel said employees must fill out a "device approval" form to plug iPods and other devices into their work machines. Getting permission for the iPods is unlikely, however.
"They really have to justify why the device is needed, whether it's an iPod, a USB key or thumb drive," he said. Downloading music and videos is not something that will be approved, he added.
While his organization has strict security policies in place to prevent such behavior, he said an array of security tools are needed to stop those who would break the rules.
"As we looked at our policy, we concluded we couldn't enforce it 100% with 2,000 machines across 15 locations," he said. "So we put devices in place to block the activity."
He said one of the main devices in place is an appliance from Luxembourg-based SecureWave that blocks port access and keeps people from downloading or uploading not only music but also images from digital cameras.
Susan Bradley, network administrator for Tamiyasu, Smith, Horn and Braun Accountancy Corp., in Fresno, Calif., said, "One would hope that one's desktop antivirus would catch this, but normally we do have an acceptable use policy that tries to remind folks to not do this."