In the wake of the Sony Pictures hack, many in IT are suggesting that trends to "liberalize" access to external technologies is partially to blame. Should IT go back to being the "department of no?"
Over the past several years, the trend at most companies has been to "liberalize" IT policies. In many cases, IT leaders could do little to prevent this movement. When the CEO of the company walks into your office with a new iPhone and says "Make this work with our email," discussions about security risks and network integrity usually fall on deaf ears. Furthermore, the rise of shadow IT, where anyone with a credit card and a few minutes could provision cloud services and use them in lieu of corporate-approved tools, has eroded IT's control.
With the recent hack of Sony Pictures, where everything from salary and employee data to executive communications were stolen and leaked to the world, many in IT are suggesting that liberalizing access to technology has gone too far. In extreme cases, some are suggesting removing employee access to outside networks, ending BYOD (Bring Your Own Device) programs, and fortifying networks that have become dramatically more permissive.
Can we reverse the clock?
What's being suggested is essentially reversing the clock on how corporate IT is delivered and consumed. In the 1980s and 1990s, technology was a thoroughly business-related technology where the company owned the assets, and they were generally physically confined within the four walls of a company building. Except in rare cases, employees would not use or transport company technology for personal use any more than a machinist would take home his or her drill press for the night. In this scenario, building digital "walls" around the perimeter of the company made perfect sense.
Just as you'd install locks on the outside doors of your home, but allow relatively free access to a guest you've allowed inside, traditional IT security generally focused on the perimeter. In many of the recent high-profile hacks, nefarious actors were able to gain access to an internal system, or sneak malware past the "outer walls" and gain relatively unrestricted access to their target once inside.
In this model, creating even pinholes in the "outer wall" presents an obvious security risk, even if the business drivers are valid and well-intentioned. The best firewalls and intrusion systems do little to protect against the vendor who sets their account password to "password," or the employee who clicks on every link that comes into their inbox.
The suggestion that all outside access be restricted may allow IT to restore the focus on the "outer wall," but the fact is that we're no longer in the 1990s. While it's comforting for those in IT security to picture employee internet access as being used solely to check Facebook and waste hours on YouTube, everything from technical documentation to key partner and client systems are now accessed through the internet. Turn off internet access, and your software developers' productivity will drop precipitously; your sales people will be unable to do customer research before visiting a key client; and your procurement department will be unable to order parts and raw materials from most vendors.
Innovate, rather than yearn for the past
There is still a space for '90s-style IT security. For the Sony Pictures hack, a disgruntled employee was cited as a potential key beachhead for the hackers, something that could have been prevented through better people management and access controls. Similarly, continue emphasizing the need for good security practices, and as you allow access for employee devices or access to external services, remind employees that they are stewards of company data.
On the technical side, rather than attempting to wall off the entire corporation and allowing relatively unrestricted access once "inside the walls," a better strategy is to secure key systems and data, and end the assumption that any device or user on the company network can be fully trusted. Increasingly, employees use external resources on the internet more than internal ones, except perhaps for email. Rather than building a bigger wall around the company, build smaller, thicker walls around key services and assets, perhaps even segregating these into small secure networks, while the general employee population enjoys fast, unrestricted internet access that's disconnected from corporate resources.
Finally, IT is just as guilty as employees in following its own policies. In the heat of the moment, most of us have seen low-level technicians or vendors granted unrestricted access to a key system or database to troubleshoot a problem, and then that access is maintained until an annual security audit. Even interns are granted access to databases that house HR or key financial data, and could happily dump tables all day long and have your employee salary information on the web by lunch.
Certainly, our lives as IT leaders would be easier if we could "pull the plug" on external access and return to an era of physically secure desktops and no personal devices or applications on our networks. However, yearning for those days and suggesting security architectures that worked in those days is as foolish as suggesting a return to typewriters and carbon paper.
- Sony CEO: We were the victim of a vicious and malicious hack (CNET)
- The Sony hack: 9 more things you didn't know (CNET)
Disclosure: TechRepublic and CNET are CBS Interactive properties.