IT Employment

Look again -- the barbarians might be inside the gates


During the Gartner 2007 Symposium/ITxpo in San Francisco, attendees were asked to vote on three important issues facing IT professionals today. The results of those votes might have far-reaching implications for security professionals (Tom Austin, et al, Gartner Clients Substantially Reject Tight Control Over Users, Gartner ID Number G00148513, 15 May 2007).

The votes The first vote was on the question, "Should employees be allowed uncontrolled use of consumer devices, applications, and services?" The results should raise some concern, with 70 percent of the approximately 300 attendees voting siding with open usage. Only 29 percent believed that organizations should control the use of consumer products in the workplace. The apparent reason for this attitude is the rate at which vendors make these products available to the workforce. The difficulty of controlling this onslaught of personal technology is apparently not worth the effort. Further, there seems to be a consensus that user productivity suffers when controls on consumer products are enforced.

The remaining two votes supported this position of openness. In the first, 67 percent of the attendees rejected the premise that IT should endorse every piece of software installed. In the second and last vote, the majority of those voting favored distributing outside the IS department many of the decisions about technology implementation. Fifty-three percent agreed with this position, with 47 percent favoring continued control.

My opinion While I'm a proponent of implementing the technology needed by the business, I absolutely disagree with uncontrolled use of technology in the name of productivity. With the increasing functionality of PDAs, smartphones, USB storage, and MP3 players, the risk to an organization that allows their uncontrolled use is rapidly growing. I'm not necessarily advocating shutting down all use of personal productivity devices. Rather, I believe companies must make informed decisions relative to value verses risk. So instead of prohibiting the use of personal devices, maybe content monitoring provides the right level of risk management. At least you'll know when sensitive data is moved to questionable locations.

As far as controlling what software employees install, I believe an organization should take a blacklisting approach. In other words, only applications known to present a high level of risk should be prohibited. Having said this, I also believe all endpoint devices in an environment with no or weak application installation controls must be protected. Protection should include aggressive patch management and anti-malware update processes. Another consideration is the use of host-based solutions to block the installation or execution of applications known to be questionable. A product that falls into this category is SurfControl's Enterprise Threat Shield. In summary, if we allow users to install whatever they want, we have an obligation to protect them from themselves.

Finally, I have a hard time with distributing IT solution decision-making to non-IT professionals. While I'm sure there are those organizations in which business users are marginalized during the decision-making process, the vast majority fully engages both technical and nontechnical expertise to ensure the right solutions are implemented. Leaving these decisions to business users alone swings the pendulum too far in the other direction. The balance that is critical to making the right overall decision is lost. Any security professional who has completed a security assessment that essentially blocks the implementation of a favored solution knows that, without any control, users will almost always implement function over safety. 

The results of these votes were not completely surprising to me. The security team I lead is part of the IS department. Pressure is mounting every day to allow more user autonomy, often resulting in lively debates. However, I maintain that we as security professionals must work to insert some measure of reasonableness into this movement toward opening the personal productivity flood gates. Otherwise, the only true winners will be the cybercriminals who are waiting patiently for just this kind of opportunity.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

3 comments
Bjorn.Tore
Bjorn.Tore

Well known discussion, but really, it comes down to experience. My question after reading the Gartner report, and having had the same discussion at work, is what kind of experience do these "IT Professionals" referenced in the report have ? The 70% people voting for open usage, and less restrictions can't have had any experience with large virus breakouts, or large organizations where it's "free for all". After spending the last 4 years in the company, going from a minimal control, "users are local admins" environment, to a semi-controlled, users have only "user rights" environment, the benefits have been both visable, and easy to calculate cost reduction on. Yes, the challenge is user information, and open discussion on why they can't install what they want and connect what they want, but senior IT and Business management support and buyin have been the key. We have almost removed virus, spyware, adware, malware, pirated software, music and movies. Almost, because consisting of 100+ companies, there are of course those that have management approval for having local admin rights. And usually these are the "IT Professionals" that belive restrictions should not apply to them. So my conclusion after reading the Gartner report was, that the opinions of the 70%, carries very little relevance for for my company, and probably most large organizations.

Absolutely
Absolutely

[i]As far as controlling what software employees install, I believe an organization should take a blacklisting approach. In other words, [b]only applications known to present a high level of risk should be prohibited.[/i][/b] Rubbed my eyes. Pinched my arm. Wow! I [b]really[/b] read that! With all that's known about malicious programs on the Internet, he said that IT departments should [b]allow everything [u]except[/u][/b] "applications known to present a high level of risk". In practice, that means that every line of code is treated as "innocent until proven guilty"! Network traffic is filtered by default deny, not default allow rules, in environments where security matters. Why a different set of rules for software? [i]Having said this, I also believe all endpoint devices in an environment with no or weak application installation controls must be protected. Protection should include aggressive patch management and anti-malware update processes. Another consideration is the use of host-based solutions to block the installation or execution of applications known to be questionable. A product that falls into this category is SurfControl?s Enterprise Threat Shield. In summary, if we allow users to install whatever they want, we have an obligation to protect them from themselves.[/i] That's funny. What professional tool, other than a computer, do employees expect to have the [u]right[/u] to modify? In construction and other fields in which it's common to buy one's own tools even while working as an employee not an entrepreneur, one may purchase any brand according to personal preference, but I can think of no other tool, provided [b]by the employer[/b], which employees expect to be permitted to modify. I'm happy for the entrepreneurs at SurfControl who are able to find a profit in this culture of entitlement, but it's still a load of hogwash.

Tom Olzak
Tom Olzak

I think you'll find that the trend is toward allowing employees to use new products and services without severe restrictions. This trend is being pushed by IT and business executives. This was made clear in the voting that took place at the conference. Security is about providing a balance between operational effeciency and control. Security managers who attempt to block every user provided solution will quickly find themselves dismissed as "security radicals". Instead, it's our job as security professionals to keep in step with the realities of the workplace and to select the controls that will mitigate risk to an acceptable level. As far as whitelisting vs. blacklisting, whitelisting software is a huge undertaking in a large organization. The costs involved, both in managing the process and in potential productivity losses, exceed those incurred by implementing blacklisting with appropriate controls. Finally, I never wrote that all users should have the right to modify their systems on their own. I've written several times about the importance of restricting local admin acces to IT personnel only. However, there are instances in which local admin rights must be granted due to the nature of the applications executed.