Information security, off the deep end

Dear Bob ...Did you happen to see Roger Grimes recent posting, "Unauthorized applications (still) a bad idea," (InfoWorld's Security Advisor, July 14, 2006)? I'd love to hear what you have to say about it.- Curious GeorgeDear Curious ...Now why did you have to go pour gas on the fire?Well okay, here goes. Read Grimes' posting and you'll see same the same, tired, self-serving argument by assertion that's usually

Dear Bob ...

Did you happen to see Roger Grimes recent posting, "Unauthorized applications (still) a bad idea," (InfoWorld's Security Advisor, July 14, 2006)? I'd love to hear what you have to say about it.

- Curious George

Dear Curious ...

Now why did you have to go pour gas on the fire?

Well okay, here goes. Read Grimes' posting and you'll see same the same, tired, self-serving argument by assertion that's usually used by members of the Value Prevention Society (VPS) to justify their one-size-fits-nobody policy recommendations.

Unlike many who take his position, Grimes didn't even haul out the usual references to publications of the Alarming Statistics Society of America (ASSA) to justify his claim that nobody ever installs an unauthorized application that does something useful. Instead, he provides examples, like employees who install GotoMyPC and instant messaging (IM).

Grimes needs to take a trip to the clue store. Does he really think employees install GotoMyPC because they find accessing their work computer from home to be a matter of pleasure. Don't be ridiculous - they install it because they're conscientious, and sometimes need to work from home, using data that's only available on their office PC. Very often, they have to do this because their company's security team has outlawed jump drives, and configure their laptop computers so they can't carry any data out of the company ... security risk, don't you know.

So it's drive in to work on Saturday or install something that helps them get their job done, because IT is too busy locking down the joint to realize the employees need a decent work-from-home solution. If that weren't the case, employees wouldn't have to install GotoMyPC: IT would provide a solid VPN, and Citrix or something similar that provides a way to access office files from home.

As for the IM nonsense. Yes, user-installed IM does cause security problems. Unless Grimes has installed a bunch of keystroke loggers to find out what people are doing every second of their 50-hour work weeks (which is, by the way, why employees have to use office equipment for personal tasks, but that's a different discussion for another time) ... he has no idea what fraction of their use is personal and which is business. Here's a simple alternative to forbidding this very useful communications tool: Install a corporate IM solution that is secure.

Grimes' oddest assertion is this: "Denying all unauthorized software by default leads to more innovation." Huh? Unless you define "innovation" as "figuring out creative ways to bypass the lockdown," the statement is absurd on its face.