No matter what country you live in, if it is in any way democratic, you have seen the political trend wherein nearly everyone knows the correct solution to a given problem, but hidden agendas, partisanship, and general demagoguery get in the way of implementing that solution. In most industrialized countries, the most obvious and timely instance of this is any discussion of cutting government spending. Everyone knows that it is inevitable, the government cannot spend more than it makes forever, any more than a business or a household can, but partisanship and turf-protection always make these things move very slowly, and rarely cut as deeply as they need to if the final goal is to be reached. At the time of this writing, it seems as if the EU has an up-and-coming sense of austerity, we’ll see how well they can hold up to the sea of public outcry and negativism that always seems to surround fiscal responsibility.
There is a similar phenomenon with the enterprises and the Internet, only since it is not confined to the halls of politics, it is much more sweeping and no less rancorous. Somewhere along the line, the “sense of entitlement” that you read about a lot in western countries these days became endemic online. You see it in the cavalier, even Robin-hood mentality people display toward online piracy, and the pervasive penetration of Web 2.0 use in the enterprise. According to a recent InformationWeek article discussing a poll done of IT professionals in several countries, Web 2.0 use and security are a gaping productivity and security hole in the enterprise. Ignore, for the remainder of this post that the article lacks focus and the announcement of a new product at the end makes it feel like paid content, and let’s talk about the survey and its implications.
My first reaction to the poll information that says usage of web 2.0 applications was opening the enterprise up to security vulnerabilities was “well yes, we all know that”. But then I pondered that thought. Do we? Yes, yes we do. Even those that are completely unknowledgeable about IT have enough computer experience these days to know that surfing is very dangerous to your system’s health, let alone IM, etc. So then my second question was the obvious “then how did we let it get to this point? Shouldn’t we have tightly controlled access to this type of application – particularly since if you don’t have a content control (data leak protection) mechanism, it is simplicity itself to leak sensitive data via IM?”
And my second reaction was likely yours also. I am not at all certain that we can or should put that genie back into the bottle. Of course there are risks to using Web 2.0 applications, but there are benefits too. Many of us here at F5, including a couple of our VPs use Twitter, Facebook, and blog about work-relative things on a regular basis. The organization finds value in these activities, and hopefully you do too. Of course you could write or automatically enforce policies that would allow only members of a given security group to access Web 2.0 sites, but there are so many of them that you would have to do it by content scanning, or put people on the job full time. And employees can be a huge plus to your hiring efforts if they are out there en-masse… Many F5ers have tweeted or updated Facebook about the great work environment, open positions, etc.
(The article gets confused after a while and discusses both social media and internal web 2.0 applications – two different problems. Web Application Firewalls and access control products like our ASM and APM can help with the internal app security problem, and a feature of ASM called DataGuard can help keep private information within your walls, but other than this little note, we’ll stick to social media usage in this blog)
And there’s the problem with national politics too – I have admitted the best solution would be to block Web 2.0 applications on the way in/out of your building, then promptly said “but wait!” except that I’m not saying “but wait!” for votes or a special interest, I’m saying it for the good of the organization. Heck, last time I checked I wasn’t up for a promotion, let alone a public office, so I’m unlikely to be “in someone’s pocket”.
So it falls upon us in IT to figure out how to ensure that our users are secure while they’re telling their grandma about their horrid case of leprosy from the comfort of their cubicle. The article says that one of IT’s concerns about these applications was implications for productivity. I contend that this is not an IT problem. Seriously. There have always been performance issues in the enterprise, and HR has a whole collection of tools in their pocket to deal with them. Surfing websites is no different than hanging on your phone or taking a two hour lunch: If you’re not getting your job done, people notice. So let that bit slide, someone has it well in hand, and you have enough to worry about.
Every enterprise I know of uses anti-virus tools, so that bit is covered as well as we can, though zero day will continue to haunt our dreams. Content scrubbers are a good idea for protecting the organization against large chunks of data going out… Though last time I looked into them they required a lot of work to set up, if that’s how your enterprise wants you to spend your time, it is certainly a risk avoidance exercise that might well pay off. When I was looking at these products for NWC, a vendor told me of a case where one guy in sales had stolen all of an enterprise’s customer and prospect databases – 25 rows at a time and emailing them through webmail to a home account before he left for a competitor. He was only caught after he’d given his two week notice, and then because the organization was trying out the product I was being briefed on. So they are worth the money, but they do take work to get going, like I mentioned above. Note though that I have never tried ASM’s DataGuard feature, it might be simple. Just too many products for each of us to play with all the features… And it’s been a few years since I installed any DLP product, no doubt they’re all easier to configure these days.
You could install software or hardware that limits your users – most of us have been confronted with the big hand or similar applications blocking us from access to a given site – though users tend to seek ways around such devices, and they certainly fire animosity toward IT in much the same way that cutting someone’s benefits fires ire against politicians. And as I said above, to quote my Mother: just because you can, doesn’t mean you should.
This is a problem that is going to continue to bedevil us for the foreseeable future. If you’re not going to block access to the Internet (and that would not be likely to fly in most non-national security roles), then you’re going to have to worry about what bed-bugs your users are bringing into the enterprise with their surfing and what they’re sending out. In these days of Internet espionage, it feels as if the need for a solution is more urgent, but there is no silver bullet at this time, just layers of protection.
So it would seem that we’ll do anything but what we all know is right. Guess we’re not that different than politicians after all.
Related Articles and Blogs