Collaboration

Work with end users -- not against them -- to improve security


In his recent blog post, "The six consumer technologies that are destroying traditional IT," Jason Hiner comments on consumer technologies that are sneaking into the workplace and causing problems for some IT departments' attempts to maintain network and information security. He also makes the point that this isn't just a problem with end users who don't want to follow the rules -- often, the end users are just trying to do their jobs to the best of their abilities, using the tools they feel would best suit their needs.

The problem is, to a significant degree, with the IT department. In other words, if there's a "civil war" between the IT department and the end users, it's because the IT department is trying to fight the end users, rather than solving the problems of their business needs.

The solution to the problem at hand is really a simple one: Don't ignore the end users' needs. When you do that -- when you refuse to offer solutions to the problems of the modern workplace -- the end users start looking for their own solutions. When those "solutions" end up circumventing your network security policies, you need to start looking to yourself for someone to blame, because you could have helped your end users solve their problems without compromising network security, but you didn't.

Let's take a look at one of Jason's examples of consumer technology that's destroying traditional IT -- instant messaging.

Instant messaging technology is an incredibly useful resource for exchanging information in "real time." IT professionals in particular are increasingly finding it useful for their jobs, conferring with one another about the knowledge needed to solve their daily work tasks. Where once a network administrator may have had to hunt through half a dozen books on his or her shelf to find a specific reference to subnetting with IPv6 that he or she saw a few months back while looking for something else, now he or she might be able to just ask a question of his or her IPv6-enthusiast friend working for another company and get an immediate answer.

I know I've done this sort of thing hundreds of times while working on Web development projects, configuring firewall/router systems, and otherwise plying my trade. Sure, I'll probably go back to the book and read up more on it later, but for right now it's nice to be able to get a quick answer from someone who knows the material better than I do, without having to put my work on hold while I search through books and Web sites or wait for a response to an e-mail that may get hung up in spam filtering at the other end (just wait until I address my pet peeves with spam filtering in a later post).

Many IT shops just treat IM as another bit of prohibited software, an attack vector they don't want to have to deal with. In many cases, the IT department workers prohibit IM use for the rest of the company but use it themselves to solve their own business problems -- and they don't realize that it's not just the unique problems of the IT department that can be solved by talking to other people online in "real time."

Whereas a blanket prohibition policy may lend itself to security breaches as people circumvent IT policy so they can improve their ability to get the job done quickly and easily, a policy with exceptions for the IT department can be even worse, as IT would then probably tend to assume the its own workers know what they're doing and ignore the matter of securing IM sufficiently. We really need the additional concern of figuring out how to make IM secure for the rest of the company, or we may not be motivated to think about how to make it secure for ourselves.

Typical security concerns involve plain-text transmission of company secrets, IM-borne viruses, and an unmonitored point of access to the network.

  1. Point of access: As long as you have a policy in place that allows for use of IM but only with the IT department's knowledge and blessing, you've created a policy that will encourage workers to coordinate with IT rather than try to "get away with something." When they're trying to go behind your back, end users will be trying to hide their online activities from you, which means you're going to run the substantial risk of missing important, potentially threatening network traffic for long periods of time. Working with end users, rather than against them, will ensure that you know what's going on, and those end users will be inclined to follow the rules rather than break them if they can achieve their ends within the bounds of IT policy. It's a win-win situation, if you handle it responsibly, so start handling it responsibly right now. Just remember that the more contentious you make the relationship between IT and end users, the more they'll want to fight your policies.
  2. Malware: By instituting a clear corporate IT policy for IM, you get to set the rules for what people will use and how its use will be managed. This means, among other things, that you can institute policies that will minimize the potential malware contagion vectors of IM software. For instance, mandating specific client software choices and IM protocol limitations can help provide you with an easier time monitoring the security status of the IM software being used, allowing for better ability to respond to vulnerability discoveries via workarounds, coordinated patch rollouts, and even temporary IM use lockdowns when there's a problem so big and intractable that IM traffic needs to cease until there's a fix. If everyone in the company knows that they're normally allowed to use IM, after all, they'll be more likely to do what they're told when you want them to stop using IM for a day or two for purposes of avoiding a major security problem that could very well be their fault if they ignore IT policy.
  3. Plain text: For the most part, IM protocols transmit all communications in "plain text," also known as "clear text." Many IM clients these days provide options for encryption, however, which can be used to secure communications somewhat. This can be especially important when two employees of the same company are communicating with each other, discussing matters that should not be made available to the outside world. Many people aren't even aware that encryption is an option, and they don't realize that their communications might be subject to eavesdropping by an outsider; not everyone's areas of expertise are related to information technologies. If you simply disallow IM use company-wide, people who are inclined to use IM in violation of company policy will not be likely to get the guidance they need to do it safely -- but if you provide clear policies allowing IM use within certain restrictions for security purposes, everyone will be able to benefit from your expertise.

On the subject of IM security, examine all your options for the best fit for your company. For instance, considering the above three concerns that might prompt you to allow (coordinated, managed, secured) IM use within the company, you might develop a policy with the following characteristics:

  1. Only the Pidgin client is allowed. This provides greater ability to centrally manage software updates, monitor network activity related to IM use for signs of unauthorized traffic, and support IM software on the end-users' workstations. As a feature-rich, multiprotocol client, it should keep your users happy and serve your needs regardless of what general policy choices you make.
  2. Only the AIM protocol is allowed. Again, this increases your ability to monitor network activity related to IM use, but it also provides the ability to better firewall against related, but undesired, traffic. It also keeps necessary attention focused on a narrower range of potential security issues than if you try to pretend that nobody is using IM on your network at all, by being aware of all IM protocols in use on the network.
  3. No communication without encryption is allowed. This may appear to be a bit on the paranoid side, but it will surely be necessary for some companies. If you are careful to enforce it, perhaps with monitoring of communications via IM-specific ports for signs of policy violation, end users will probably find that it's better to comply -- especially since using encryption with IM is not as difficult as it might sound. For instance, Gaim comes with a built-in encryption capability -- and anyone an employee wants to talk to should be able to employ encryption as well with a minimum of fuss. There may be some incompatibility issues between specific companies with differing policies, in some cases, but you have to determine the security needs of your own company and develop policies that meet those needs. If that requires use of only approved encryption technologies, end users will simply have to learn to live with that -- and with a specific policy in place, it will be much easier to detect policy violations quickly enough to head off any potential security breaches.
  4. When choosing your security technologies, examine the alternatives before settling on the first thing that jumps out at you. Ask yourself questions about how secure a given encryption technology is and similar questions. For example, the built-in encryption capability of Pidgin is good, but it may not be good enough for your purposes. Perhaps you should be using the OTR plugin with Pidgin, which provides what its maintainers call "perfect forward security." OTR provides not only encryption and identification of users on the other end for greater integrity of trusted communications than with most encryption capabilities, but it also ensures that even if a given conversation's encryption key is intercepted, that won't help the unauthorized eavesdropper compromise any further conversations later on.

The same sort of approach to software policy that works for IM can be extended, in terms of the principles involved, to apply to the other classes of consumer technologies in the workplace mentioned in Jason's article. Remember that security is more a matter of how you think and how you apply policy than of following a checklist to get from point A to point S, where S stands for "secure."

One of the principles of security that you must learn to apply in your professional life is that of getting your end users to work with you rather than against you -- by making the effort to work with them to solve their problems and meet their business needs.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

9 comments
Marquisem
Marquisem

Here's a more common problem I find in my company: IT is actually proactive in finding a secure, easy-to-use solution that has a low cost. Because it has any cost whatsoever, the folks who allocate budget dollars say "no". CSO supports idea and provides a risk analysis. Big L Leadership insists that "nothing bad has happened so far, so there's no need to spend any money--no matter how little--to ensure that nothing bad does." The Big L Leaders in question have lived through a security breach. Before it happened, they thought nothing would. Now they prefer the "lightening never strikes twice" theory of life.

UncleRob
UncleRob

- The IM example you pointed out is great for IT staff who most likely already have admin privileges on their on machines/domain machines to install the required software.... but why do regular users need to install software? What other software other than what's bundled in the corporate desktop or laptop image is necessary? Prove to me why it's necessary? If an IM client is needed, implement an IM solution so that local users can contact each other but don't allow public access - in most cases I'm sure that it would just lead to misuse (ie. talking with friends, etc.) and how does that improve the bottom line. Email is still available & a viable option so that is an avenue for contacting outside sources for assistance if necessary. Skype is another good example except that it typically doesn't apply to the everyday employee. Using a skype client on a machine would typically come into play if you're a remote user and we have allowed this only for specific users, for example a sales manager that travels regularly (in a pre-defined geographical sales territory and occasionally other locations as well). But the corporate office user doesn't require this ability as I'm sure phonesets are available in the office and the business has some sort of decent long distance savings plan so again this isn't a practical reason for opening up the machine for user's to install software. IT Staff don't fight end users, their existence is typically to support them but I think you paint a different picture with your article. End users have more software available to them now to perform their jobs then at any other point in history and if additional software is really necessary on an end user's machine, he should follow the chain of command and speak to his supervisor or local HR and make the request for necessary software so that at least it is documented. The security landscape in today's world requires that machines be locked down and that users can only work with the software installed on their machines, they shouldn't be allowed to make those choices as to what additional software they need & feel that they can install themselves. Allowing the users the ability to install any software they feel they need leads to them make choices on installing software they definitely don't need (read spyware, malware, viruses, rootkits, etc. etc.). End users always outnumber IT staff by a large amount so how smart is it to create an environment where everyone can be free to install whatever software they need and expect the IT staff to run from desktop to desktop whenever problems occur and they do. Most IT staff spend their days solving end user pc problems as it is, why would you want to add to that problem by creating more work? How many IT professionals do you know that only work 9-5 jobs - where I work there is always extra work to be perform, projects to be completed, deadlines to meet, etc. " One of the principles of security that you must learn to apply in your professional life is that of getting your end users to work with you rather than against you ??? by making the effort to work with them to solve their problems and meet their business needs." IT staff exist to implement & manage the required IT infrastructure that allows for end users to perform their tasks. Part of that involves enforcing security policies, one security policy we employ locally is lock down all user machines, all users operate as restricted user accounts and no outside software is installed on company machines without approval by management. Opening this policy up and allowing users to make those choices just doesn't make sense in my opinion - it's very hard to manage & support chaos.

rjkirk_50
rjkirk_50

Maybe the bottom line is to be reasonable and treat users the way you would like to be treated.

rw
rw

Definately work with the users and give them a fuller non technical education. Applications are not sneaking into the corporate arena, they are being hailed in from all corners by people using IT at home and finding these products useful. Skype is great example. Exec travels and gets complaints about their mobile phone bills being high. They use skype to call home and friends for free or dirt cheap. Bingo... use skype for business. It is not just a policy headache - how do you handle busniess conversations over a sniffable global network? Or a comms headache, the client will become a leapfrog point for other calls (unknown nodes passing through your network)? It is a build and relationship headache. What does it affect on the machine? How long is taken to get a stable build for the corporate image and then a rougue bit of software breaks an obscure section that seems to have no relation? What is the time and cost of hunting down and fixing those problems? I think it is time to find a new way of working where once the education is in place the use of consumer driven products don't impact the corporate infrastructure. It becomes just a matter of policy and technology just side steps the issue altogether.

apotheon
apotheon

Unfortunately, I know all too well how difficult it can be to get funding allocated for the most important projects first in a bureaucratic organization. I've even done my time in the military, so I've seen bureaucracy almost as bad as it can possibly get. Maybe I'll find some material in that subject area that can make for a future post here at the IT Security weblog, at some point.

rw
rw

I fully understand and empathise where you are coming from. My point is users are finding new ways of doing their job from consumer type applications they are using at home, like IM. You can?t blame someone for finding something useful and trying to use it to make their life easier in some way. I recently worked with a lawyer who regularly holds 3 or 4 simultaneous IM conversations with clients that he bills for that confirmable time by copy and pasting the transcript. IM does not have to be installed to work with history. Sites like Meebo (www.meebo.com) removes the need for several IM clients and admin rights. IM is being seen by the software industry as a new way of working. Look at Microsoft's UC product suite. There needs to be an education for users to be responsible for the PC's they have access to. But even the most responsible user requires time and effort and ownership by IT to get them and keep them working. BP the UK petro-chemical company have trialed a project where users buy their own laptops and therefore have ownership of their work machine... including repair and maintenance which seems to have crystalised the idea of responsible computing in their minds. Users tend to want to do what is best for their job. If they find a way of calling for free or billing four customers for the same amount of (provable) time, they will give it a go. I think most people would consider that using your initiative. Best would seem to work your systems so that the applications only talk and the network does not see or need to care about the client machine. Zero client machine TCO. If the machine underperforms because of non-work related and requires therefore time to fix, then find someway to bill the user. The message will soon get across.

apotheon
apotheon

You seem to think the article was written to advocate giving everyone administrative access to their systems. That couldn't be further from the truth.

mhbowman
mhbowman

Our multiple-user devices auto-login. They are locked down through the GPO to have a limited view, not allow a right click, or allow data to be save to the hard drive. Single user PC's allow basic configuration changes but the user's are not given admin rights. We have MS Office Communicator set up for instant messaging within the office. Our firewall blocks any and all exe, zip, etc. files that are deemed harmful. If you need to send or recieve an attachment through email it has to be released through the help desk. Gone are the days of "My computer's running really slow and acting funny" only to find Bonzai Buddy, Gator, Webshots, streaming radio, Napster, LimeWire, AIM, and even additional programs that do the SAME thing installed and all of them running in the bottom right hand corner of the desktop. "Why does my computer take so long to boot? This computer's a piece of junk." You mean besides the fact that you have over a dozen programs running in startup that have nothing to do with your job? Just because you sit in front of it for 8 hours a day doesn't make it YOUR PC. It still belongs to the company you work for. The solution that was finally handed down was that your machine was clean when you got it. If you place a service call of this type your dept. will be charged $50/hour for it to be removed. People who have no fear or breaking security policies tend to have a very real fear of their boss asking why they cost their department extra money each month.

apotheon
apotheon

Yeah, that's the (very) short version.