During the Gartner 2007 Symposium/ITxpo in San Francisco, attendees were asked to vote on three important issues facing IT professionals today. The results of those votes might have far-reaching implications for security professionals (Tom Austin, et al, Gartner Clients Substantially Reject Tight Control Over Users, Gartner ID Number G00148513, 15 May 2007).The votes The first vote was on the question, "Should employees be allowed uncontrolled use of consumer devices, applications, and services?" The results should raise some concern, with 70 percent of the approximately 300 attendees voting siding with open usage. Only 29 percent believed that organizations should control the use of consumer products in the workplace. The apparent reason for this attitude is the rate at which vendors make these products available to the workforce. The difficulty of controlling this onslaught of personal technology is apparently not worth the effort. Further, there seems to be a consensus that user productivity suffers when controls on consumer products are enforced.
The remaining two votes supported this position of openness. In the first, 67 percent of the attendees rejected the premise that IT should endorse every piece of software installed. In the second and last vote, the majority of those voting favored distributing outside the IS department many of the decisions about technology implementation. Fifty-three percent agreed with this position, with 47 percent favoring continued control.My opinion While I'm a proponent of implementing the technology needed by the business, I absolutely disagree with uncontrolled use of technology in the name of productivity. With the increasing functionality of PDAs, smartphones, USB storage, and MP3 players, the risk to an organization that allows their uncontrolled use is rapidly growing. I'm not necessarily advocating shutting down all use of personal productivity devices. Rather, I believe companies must make informed decisions relative to value verses risk. So instead of prohibiting the use of personal devices, maybe content monitoring provides the right level of risk management. At least you'll know when sensitive data is moved to questionable locations.
As far as controlling what software employees install, I believe an organization should take a blacklisting approach. In other words, only applications known to present a high level of risk should be prohibited. Having said this, I also believe all endpoint devices in an environment with no or weak application installation controls must be protected. Protection should include aggressive patch management and anti-malware update processes. Another consideration is the use of host-based solutions to block the installation or execution of applications known to be questionable. A product that falls into this category is SurfControl's Enterprise Threat Shield. In summary, if we allow users to install whatever they want, we have an obligation to protect them from themselves.
Finally, I have a hard time with distributing IT solution decision-making to non-IT professionals. While I'm sure there are those organizations in which business users are marginalized during the decision-making process, the vast majority fully engages both technical and nontechnical expertise to ensure the right solutions are implemented. Leaving these decisions to business users alone swings the pendulum too far in the other direction. The balance that is critical to making the right overall decision is lost. Any security professional who has completed a security assessment that essentially blocks the implementation of a favored solution knows that, without any control, users will almost always implement function over safety.
The results of these votes were not completely surprising to me. The security team I lead is part of the IS department. Pressure is mounting every day to allow more user autonomy, often resulting in lively debates. However, I maintain that we as security professionals must work to insert some measure of reasonableness into this movement toward opening the personal productivity flood gates. Otherwise, the only true winners will be the cybercriminals who are waiting patiently for just this kind of opportunity.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.