As far as controlling what software employees install, I believe an organization should take a blacklisting approach. In other words, only applications known to present a high level of risk should be prohibited.
Rubbed my eyes. Pinched my arm. Wow! I really read that! With all that's known about malicious programs on the Internet, he said that IT departments should allow everything except "applications known to present a high level of risk". In practice, that means that every line of code is treated as "innocent until proven guilty"! Network traffic is filtered by default deny, not default allow rules, in environments where security matters. Why a different set of rules for software?
Having said this, I also believe all endpoint devices in an environment with no or weak application installation controls must be protected. Protection should include aggressive patch management and anti-malware update processes. Another consideration is the use of host-based solutions to block the installation or execution of applications known to be questionable. A product that falls into this category is SurfControl?s Enterprise Threat Shield. In summary, if we allow users to install whatever they want, we have an obligation to protect them from themselves.
That's funny. What professional tool, other than a computer, do employees expect to have the right to modify? In construction and other fields in which it's common to buy one's own tools even while working as an employee not an entrepreneur, one may purchase any brand according to personal preference, but I can think of no other tool, provided by the employer, which employees expect to be permitted to modify. I'm happy for the entrepreneurs at SurfControl who are able to find a profit in this culture of entitlement, but it's still a load of hogwash.
Discussion on:
View:
Show:
I think you'll find that the trend is toward allowing employees to use new products and services without severe restrictions. This trend is being pushed by IT and business executives. This was made clear in the voting that took place at the conference.
Security is about providing a balance between operational effeciency and control. Security managers who attempt to block every user provided solution will quickly find themselves dismissed as "security radicals". Instead, it's our job as security professionals to keep in step with the realities of the workplace and to select the controls that will mitigate risk to an acceptable level.
As far as whitelisting vs. blacklisting, whitelisting software is a huge undertaking in a large organization. The costs involved, both in managing the process and in potential productivity losses, exceed those incurred by implementing blacklisting with appropriate controls.
Finally, I never wrote that all users should have the right to modify their systems on their own. I've written several times about the importance of restricting local admin acces to IT personnel only. However, there are instances in which local admin rights must be granted due to the nature of the applications executed.
Security is about providing a balance between operational effeciency and control. Security managers who attempt to block every user provided solution will quickly find themselves dismissed as "security radicals". Instead, it's our job as security professionals to keep in step with the realities of the workplace and to select the controls that will mitigate risk to an acceptable level.
As far as whitelisting vs. blacklisting, whitelisting software is a huge undertaking in a large organization. The costs involved, both in managing the process and in potential productivity losses, exceed those incurred by implementing blacklisting with appropriate controls.
Finally, I never wrote that all users should have the right to modify their systems on their own. I've written several times about the importance of restricting local admin acces to IT personnel only. However, there are instances in which local admin rights must be granted due to the nature of the applications executed.
Well known discussion, but really, it comes down to experience.
My question after reading the Gartner report, and having had the same discussion at work, is what kind of experience do these "IT Professionals" referenced in the report have ?
The 70% people voting for open usage, and less restrictions can't have had any experience with large virus breakouts, or large organizations where it's "free for all".
After spending the last 4 years in the company, going from a minimal control, "users are local admins" environment, to a semi-controlled, users have only "user rights" environment, the benefits have been both visable, and easy to calculate cost reduction on.
Yes, the challenge is user information, and open discussion on why they can't install what they want and connect what they want, but senior IT and Business management support and buyin have been the key.
We have almost removed virus, spyware, adware, malware, pirated software, music and movies. Almost, because consisting of 100+ companies, there are of course those that have management approval for having local admin rights.
And usually these are the "IT Professionals" that belive restrictions should not apply to them.
So my conclusion after reading the Gartner report was, that the opinions of the 70%, carries very little relevance for for my company, and probably most large organizations.
My question after reading the Gartner report, and having had the same discussion at work, is what kind of experience do these "IT Professionals" referenced in the report have ?
The 70% people voting for open usage, and less restrictions can't have had any experience with large virus breakouts, or large organizations where it's "free for all".
After spending the last 4 years in the company, going from a minimal control, "users are local admins" environment, to a semi-controlled, users have only "user rights" environment, the benefits have been both visable, and easy to calculate cost reduction on.
Yes, the challenge is user information, and open discussion on why they can't install what they want and connect what they want, but senior IT and Business management support and buyin have been the key.
We have almost removed virus, spyware, adware, malware, pirated software, music and movies. Almost, because consisting of 100+ companies, there are of course those that have management approval for having local admin rights.
And usually these are the "IT Professionals" that belive restrictions should not apply to them.
So my conclusion after reading the Gartner report was, that the opinions of the 70%, carries very little relevance for for my company, and probably most large organizations.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
