The military needs to do more than just "ban" discs, and so should you!

The military is now trying to save face following the Wikileaks cable exposure by bolting the stable door after the horses have vanished. It is now implementing a ban on the use of CDs, DVDs and removable drives.

The military is now trying to save face following the Wikileaks cable exposure by bolting the stable door after the horses have vanished. It is now implementing a ban on the use of CDs, DVDs and removable drives.

Banning something, even when it comes with the threat of a court martial, only goes so far. Sure, it'll help protect military and government secrets from honest person, or from someone who fears the consequences, but it's hardly going to deter someone who's properly motivated from being able to make use of removable drives to leak data.

Note: Motivation is a factor to bear in mind here. PFC Bradley Manning's motivation for leaking military information from SIPRNET to Wikileaks seems to be down to little more than disillusionment with American foreign policy. On the motivation scale, Manning's motivation doesn't seem that urgent compared to say, someone being blackmailed or being motivated by having a gun held to a family member's head, or tempted by a hot tub full of jewelry and hookers. That's real motivation. I'm not going to speculate on how much information has leaked from SIPRNET by people being "properly" motivated.

The only way to control data is to have properly enforced policies in place. To do that effectively you need to have endpoint security installed on all systems. Yes, that's right, banning something isn't enough, you actually have to PREVENT PEOPLE BEING ABLE TO LEAK DATA IN THE FIRST PLACE. Why? Because while sometimes data leakage is deliberate, most of the time it's accidental. It's as a result of a rot in corporate policy, or because it's quicker/easier/cheaper/less hassle to do something in an insecure way, or because you know you shouldn't do something "the wrong way" but promise yourself "it's just this once," or ...

See, the threat of court martial only goes so far (and in a corporate or business setting, you don't even have that stick to wave at careless or disloyal employees). Sure, it might put some people off doing things that might result in data leakage, but it won't stop someone exposed to the right kind of motivation, and it won't stop accidental data leakage. Endpoint security will.

Even without endpoint security, you can take steps to plug some of the holes. For example, in Windows you can make use of Group Policy to disable USB, floppy and optical drives. It still leaves a whopping big hole (the internet), but it's better than nothing.

Protect your data!