As expected, I caught a lot of flak for last week’s column suggesting that one of the better, real security solutions an administrator could implement is to prevent unauthorized programs
from executing on business-owned computers.
[ Talkback: Desktop lockdown pros, cons ]
I have to say I was surprised to get several letters completely agreeing with me -- mostly from security administrators who
have already implemented my suggested policy. They recounted what their environments were like before preventing unauthorized
software and afterwards, none would change back. Several C-level administrators wrote me to say that employees trying to circumvent
their company-mandated images would be fired for the first offense.
More common, unfortunately, were the e-mails admonishing that I would stifle employee creativity and doom the company to catastrophic
failure. One reader spelled it out like this: “The problem is that you are trying to make your job easy. Your prescription
gets that done. No question. But at what cost to the organization? In the end organizations exist to make profits (private
sector) and add value for their customers (all sectors). Not to be secure. Security is part of the picture but only a supporting
part. Your suggestions amount to 'everything not explicitly permitted is denied.' Organizations and societies that operate
like this wind up static, stagnant, and wither away.”
I like this reader’s e-mail in particular because it captures the fears accurately. Similarly, several educational institutions
wrote to tell me that I would be killing “academic freedom” by preventing unsanctioned programs.
I appreciate these readers’ comments, but I don’t buy their arguments. Underlying my recommendation is the most significant
change that has occurred to computer security in recent years. Nearly 99 percent of all malware exists to steal victim information.
Let that sink in a moment. We now call it crimeware, and nearly 99 percent of all organizations aren’t doing enough to prevent
it.
The risk is high, and most entities are still treating the threat as if the world of malicious hacking is still full of teenagers
sending greetz out to their peers or trying to flood e-mail systems with identical e-mail copies. It’s a different threat
model now, and yesterday’s defenses didn’t work yesterday, much less today.
Most companies need a drastic wake-up call. It can be my column or a security event. It’s your choice.
If you’re against my recommendation to crack down on unauthorized programs, is it innovation you don’t want to stop or a fear
that you and your co-workers won’t be able to install the latest guilty pleasure software on your work PC?
Most software that users install does not come close to fulfilling a business objective. Preventing your end-users from installing
Gator, Hotbar, AIM, Party Poker, P2P file-sharing programs, illegally downloaded music, and everything else they want to install
will not stop innovative progress.
IM is a good example of an app that users love but isn’t necessarily good for business. About a decade ago, IM began to appear
in corporate environments, installed and used by end-users without IT or administration approving it. Heck, IM vendors went
so far as to create firewall-evading install routines to ensure their IM products would intentionally circumvent IT-initiated
firewall policies. IM has even been incorporated into a few corporate communication products.
But for the most part, it’s a complete waste of time for most businesses. Employees aren’t sending IMs to other employees
and partners about business issues. It’s mostly a way for employees to conduct more private personal chats on company time
without being seen connected to a telephone all the time.
IM worms and viruses are still gaining popularity. P2P programs regularly publish confidential files to the Internet. Illegal
music downloads are, well, illegal, and they use copious amounts of network bandwidth. I love to play online poker, but maybe
it’s not the best use of my company’s paid time.
How many of your employees during the past 12 months have been buying and installing GotoMyPC without your knowledge? Take
a look -- you may find out that the employee has been accessing his or her computer desktop from home for weeks or months.
How convenient. No security issues there, right?
If we could trust employees to only install nonmalicious and productive applications, it would be good for the company. But
most users will download junk and malware. In general, end-users can’t be trusted to make appropriate risk decisions. Let
them trash their home machines instead.
It's like a company car: You probably can't repaint it, jack it up, or add a nitro tank to the fuel system. That doesn't stop
you from driving it anywhere you want to go though. You might drive faster with a nitro tank installed, but you'll blow out
the engine a lot more quickly and end up on the side of the road or needing a tow. If I prevent you from installing the nitro
tank, you'll travel a lot further without a breakdown and will get more accomplished over the long run. Many companies don’t
mind you using the company car for personal business as long as you don’t wreck it. Why can’t it be the same with company-owned
computers?
What those who say my primary defense stifles innovation and creativity don’t understand is that not allowing unauthorized
software to be installed leads to more, faster innovation.
Yes, I make a living from installing inadequate, doomed-to-fail-several-times-a-year, expensive computer defense solutions
and fighting the computer bad guys, but I’d love not to have to do it. Really. How wonderful would our lives be if we actually
spent more time helping end-users be more productive? Instead of showing an end-user how to be more innovative with their
computer, I’m troubleshooting to find why it’s so slow, removing adware and spyware, reinstalling, and fighting rootkits.
Denying all unauthorized software by default leads to more innovation, lower costs, and fewer complaints. The people rallying
against this recommendation haven’t tried it.
But if you simply can’t justify denying all unauthorized software by default, consider making two classes of end-users. The
users who “get” computer security -- and don’t install stupid things -- can have free rein. But the 98 percent of your users
who've just gotta install that free screensaver or free game should be locked down.
If you still disagree with me, tune in next week and I'll show you where you fit into the Grimes Hierarchy of Computer Security
model.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
