zlacker

>It's ineffective against insider exfiltration of data unless you're also doing body cavity searches for USB sticks, and if you're at that point then the sensitive network should not be connected to the internet at all.

We opted to disable usb mass storage since cavity searches seemed a little much

>>theluk+(OP)
> We opted to disable usb mass storage since cavity searches seemed a little much

This is missing the point. Someone could plug a SATA drive directly into the motherboard, or otherwise compromise their work computer to disable the restrictions, or take pictures of documents with a camera, or bring their own computer on-site, or bring a line-of-sight wireless network device on-site, or send the data over the internet as an encrypted file or via ssh or using steganograhy and so on.

The point is that preventing data exfiltration is not a trivial task, and if you're at all serious about it then the network containing the secrets is not connected to the internet. And if it's less serious than that then it can't justify a high-risk TLS MITM device.

>>zrm+C1
And the A-Team could land on the roof with a helicopter in the middle of the night, take control of the building, breach the data center, and physically steal and leave with all the servers.

Yes, if one is determined enough, they will find a way to steal data.

> It isn't worth the security cost.

That's up for the company to decide... and apparently they have decided that it is worth the cost, regardless of what zrm, random person on the Internet, thinks.

>>jlgadd+04
That is just an appeal to authority rooted in the assumption that corporations never make purchasing decisions based on vendor marketing.