innismir.net

Farhad Manjoo over at Slate recently did his best Moses imitation and cried out “Let My Office PC Go!” and railed against restrictive IT policies in the Office environment. While I understand his pain, it illustrates the disconnect between users, IT, and Information Security.

You ask your IT manager to let you use something that seems pretty safe and run-of-the-mill, and you’re given an outlandish stock answer about administrative costs and unseen dangers lurking on the Web. Like TSA guards at the airport, workplace IT wardens are rarely amenable to rational argument. That’s because, in theory, their mission seems reasonable. Computers, like airplanes, can be dangerous things—they can breed viruses and other malware, they can consume enormous resources meant for other tasks, and they’re portals to great expanses of procrastination. So why not lock down workplace computers?

Here’s why: The restrictions infantilize workers—they foster resentment, reduce morale, lock people into inefficient routines, and, worst of all, they kill our incentives to work productively. In the information age, most companies’ success depends entirely on the creativity and drive of their workers. IT restrictions are corrosive to that creativity—they keep everyone under the thumb of people who have no idea which tools we need to do our jobs but who are charged with deciding anyway.

Productivity and Morale are two very important things and I understand where Farhad is coming from. I agree that draconian restrictions can kill productivity. In my career (2001-ish) upper management decided to install web monitoring software at my place of work unannounced and came down hard on people who spent “too much” time on the web (including yours truly). It didn’t matter that my work was getting done, or I got glowing reviews from the users I supported, or that I spent my time on technology sites,  I was spending “too much” time on the web. The “solution” to this was to have me sit there and stare at my e-mail folder waiting for a support ticket. Loads of fun.

While Farhad does a great job illustrating that productivity can go up when users are given more control over their desktops, he inadvertently provides and example of exactly why users shouldn’t be given free reign over their desktops:

When I worked in an office not long ago, though, a new man in IT decided that forwarding company mail to my Gmail account might violate the Sarbanes-Oxley Act. I tried to explain that was ridiculous—Sarbanes-Oxley proscribes deleting mail, which I wasn’t doing, and, anyway, the IT department had no problem forwarding mail to people’s BlackBerries and iPhones.

Uhhh… Hey what now? While the only SOX I know in detail are the red ones, this, as a “security guy” makes me cringe. SOX aside, this is very much a BadThing™, and while yes, this might make it incredibly easy to access your work e-mail from home and give you all kind of options that your work e-mail environment may not provide it’s a bad move from a security viewpoint. How is it bad? This can be illustrated by the massive Twitter document leak this past July. A combination of bad passwords and Google Apps absolutely reamed Twitter. By putting your e-mail to a non company controlled system you are bypassing any kind of security that your company provides. Internally your IT department may have firewalls, anti-virus, intrusion detection systems, strong password policies, etc. Google, Hotmail, Yahoo, etc provides none of this for your account. If your IT department is smart, they’ll notice your account being accessed by someone who shouldn’t have access to it, while if you use GMail, how do you know that your account isn’t compromised? More importantly, how can you prove it isn’t?

As a side note, Blackberrys and iPhones are their own beast within themselves. Thankfully, RIM and Apple as of the iPhone 3GS provide pretty good restrictions on enforcing secure usage. For example: we can require you to enter a complex password if you haven’t used your device for 15 minutes. This provides us with a reasonable assurance that if you leave your device in the back of a Taxi while you’re sloshed on a Friday night, it limits the exposure of the information it contains to 15 minutes. While it’s not perfect, it does give us a bit of breathing room. If you set up some kind of Rube Goldberg system where your device checks into GMail which you sync your device to, you’re torpedoing this.

Farhad compares IT workers to the TSA, and while I’m not going to suggest that all IT workers are helpful and flowery, I can make the counter point that many times a “rational argument” boils down to “I want to use this because I want to use it” rather then providing justification. More often then not when someone “wants something” for their PC, they can rarely provide reasoning equating to “Look! Shiny!” and when pressed to answer some fairly basic questions on why they need it, it suddenly becomes the IT department standing in the way of progress. That’s not to say that there are cases when users provide an actual business justification on why they need a product and said business justification has outweighed the risk, it’s just that it seems to be the exception rather then the rule.

I’m not saying that IT needs to lock down PCs into some kind of 1984-esque environment (Although, quite frankly, it would make my job a hell of a lot easier), nor am I agreeing that everything would be sunshine and puppies if we allowed users to completely control their PCs. What I’m saying is that both IT and users need to meet each other halfway on this issue; while IT needs to understand that certain products and websites can help users do their jobs better, users need to understand that certain products are not allowed for a reason.

The entire discussion really can be reduced to a single question. IT departments face this question regularly and if we follow Farhad’s advice I think it should be passed on to the user.

As a user, are you ready to accept personal responsibility if something you want affects the security of the network?

Keep that in mind the next time you want to use Facebook at work.