IT Security in the Workplace
Ok so I am sure I am a bit biased given that my job is IT Security but this mindset drives me nuts.
Let me know your thoughts, I am really interested in an outside perspective.
It's a Free Country... ...So why can't I pick the technology I use in the office?
By NICK WINGFIELD
Does this sound familiar?
At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department. Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.
At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space. And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet.
This is the double life many people lead: yesterday's technology for work, today's technology for everything else. The past decade has brought awesome innovations to the marketplace-Internet search, the iPhone, Twitter and so on-but consumers, not companies, embrace them first and with the most gusto.
Even more galling, especially to tech-savvy workers, is the nanny-state attitude of employers who block access to Web sites, lock down PCs so users can't install software and force employees to use clunky programs. Sure, IT departments had legitimate concerns in the past. Employees would blindly open emails from persons unknown or visit shady Web sites, bringing in malicious software that could crash the network. Then there were cost issues: It was a lot cheaper to get one-size-fits-all packages of middling hardware and software than to let people choose what they wanted.
But those arguments are getting weaker all the time. Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. "Virtual machine" software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.
Some forward-thinking companies are already giving employees more freedom to pick mobile phones, computers and applications for work-in some cases, they're even giving workers allowances to spend on outfitting themselves. The result, they've found, is more-productive employees. There's a reason professional chefs bring their own knives to work, rather than using a dull set of blades lying around the kitchen.
What Century Is This, Anyway?
For a look at how sharp the divide between work and home can be, consider my experience. The Wall Street Journal gives me a laptop with Windows XP, an operating system I found satisfying when it came out eight years ago but that lacks a lot of modern touches, like a speedy file-search function. My home computer, meanwhile, is a two-year-old iMac running the Leopard version of Apple's Macintosh operating system. Among other virtues, it's got a search function called Spotlight that lets me track down files in a flash.
Or take email. Please. There's a limit on how much email employees can store on the company's system, and I routinely bump into it. So, I need to spend time hunting through old notes in Microsoft Outlook and deciding what to keep and what to delete, or risk a shutdown of my account. I'm not the only one; a colleague told me she often receives messages with large attached files that overload her inbox while she's asleep. That means she can't receive any more mail until she gets into the office in the morning and cleans out her messages.
Limits like those are tough to swallow when you consider how generous free email services are. In nearly five years, for instance, I've used only about a quarter of the storage space in my personal Gmail account from Google Inc., despite almost never deleting messages. Furthermore, I can search for old Gmail messages almost instantaneously, while the search function in the email I use for work is painfully slow.
When they get fed up with work technologies, employees often become digital rogues, finding sneaky ways to use better tools that aren't sanctioned by the IT department. In my case, I've installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.
The Journal declined to comment on its policies. But even with the potential for productivity gains from newer technologies, it's tough for many enterprises to stomach the prohibitive costs of a companywide upgrade to the latest software and hardware, especially during the current economic downturn. Research firm Gartner Inc. estimates enterprises will cut technology purchases by 6.9% this year, which would be the biggest decline on record.
Furthermore, there are indirect costs connected with upgrades that give businesses an incentive to stick with battle-tested technologies, like the hassles of retraining workers and of dealing with buggy new products. In one example, many companies never bothered to upgrade to Microsoft's last version of its operating system, Windows Vista, in part because of technical issues with the software when it was first released.
Home-Field Advantage
It wasn't always this way. For years, the big breakthroughs in computing technology came in corporate IT departments and university computer labs. But that started to change as the cost of PCs plunged and they became fixtures in people's homes. Now consumers buy more PCs than businesses do-and the consumer market spurs the most interesting innovations.
Instant messaging reached the mainstream through America Online. Amazon.com Inc. used the technology behind its shopping site to become a pioneer in "cloud computing"-where businesses rent resources in Amazon data centers rather than running hardware and software on their own. Apple Inc.'s iPhone broke new ground in Web surfing and running applications on mobile phones.
The rise of the consumer market also means people have gotten a lot smarter when it comes to technology-and a lot less patient with substandard stuff at the office. Even with the weak economy, companies will find it harder to recruit savvy workers if they don't let them use their favored technology.
Some companies have decided the best solution is to start giving workers what they want. Until a couple of years ago, Kraft Foods Inc., the consumer-goods giant, had a rigid approach to workplace technology that was typical of many big companies: It locked down PCs so employees couldn't install software on their own, and it prevented them from accessing sites like YouTube and Facebook. When it came to hardware, Kraft offered a limited choice of smart phones and Windows PCs.
Executives began to worry that the company's technology policies were preventing employees from staying in step with trends. Kraft was a consumer company, they figured, so workers needed to be more familiar with the technologies that consumers were using, whether the iPhone or YouTube.
So, the IT department stopped blocking access to consumer Web sites, and the company started a stipend program for smart phones: Workers get an allowance every 18 months to buy a phone of their choosing. (Over 60% picked iPhones.) Kraft has also started a pilot program to let some of its employees pick their own computer. One catch: Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.
"The win for Kraft is employees are more productive if they use devices they're familiar with," says David Diedrich, vice president of information-systems technology, security and workplace services at Kraft.
A Brighter Tomorrow
The prospect of giving employees choice may be too frightening for some companies to contemplate, but there are ways of doing it without completely giving up control. Employers could require workers to sign agreements promising that they'll back up all their data and run the latest antivirus software and won't download pornography. Employers can also require workers to run all of their corporate applications inside a virtual machine on the computer, which seals company information off from everything else.
Still, financial-services companies, law firms and others may feel the need to maintain stricter control, for regulatory and legal reasons. Even some companies moving toward letting employees choose their own computers, like consumer-goods maker Unilever PLC, say the policy won't work for every employee inside a business. One reason: Many companies offering free choice ask workers to troubleshoot technical problems on their own, and some people simply aren't up to the task.
That said, many executives agree that change is in the air. Chris Turner, Unilever's chief technology officer, says the pressure to relax IT policies is bubbling up, especially from young employees. "They look at your standard corporate desktop and say, 'I can't work with that,' " Mr. Turner says. "If you can make it an attractive thing that they want to work with, that's a hugely powerful thing."
Apart from the internal politics the article itself contradicts itself and points out the very reasons corporate entities do block content - the legal issues in particular.
Many of the items noted are not blocked or controlled by us, those that are are limited directly as a result of the companies legal obligation and liability. In case you want to reply to Jerry the below covers most points;
Specifically;
Email storage - the comparison of work and home is not accurate as email use in work as a file transfer mechanism is not replicated on the home email account. This is en education issue more than IT, and any storage limitation on a mailbox is a local decision and not ours
Search engines (for files, email and internal web sites): The use of Windows desktop search or other search engines are not prevented - in fact I use the Windows Search extensively. Again this is a local IT decision. The central web sites as you know use Google devices so this is not relevant.
Web site access: restrictions here are a result of a legal obligation the company has to reduce its liability. The company is liable for content downloaded, including software license issues and illegal content (and I have a recent example of the result of not doing that should it be required, with a letter from the BSA threatening a $250,000 fine for illegal software download), this issue is not related to consumer choice or otherwise, it is a legal obligation, and due in no small part to precedents set in the US legal system.
Email links to web sites: Despite the readers comment and assumption most are aware of the scams etc that point a user at virus infected sites, the fact remains that many still fall for it and there are several million infected web sites out there that will take advantage of any lack of patching or user permissions to infect, leading onto;
The general level of IT knowledge: Although there is a suggestion that the level if IT knowledge now is higher, the level of knowledge is still extremely low compared to the level at which the threat comes from. Take a survey of personnel and ask them who knows how DOWNNAD works, how ports and protocols work, how permissions work etc etc. The list goes on and demonstrates the differential between the average user and threat, and why there has to be controls and systems in place to mitigate that differential.
Virtual machines: The liability incurred by a company is not mitigated by using a VM on a machine if that machine is owned by the company.
Instant messaging is supported as are many other services listed in the article.
Smart phones: the support is limited by the features and functionality. With the iPhone in particular there are also legal issues with ownership and usage of media on company hardware, or is personal the use and storage of company confidential information on non company hardware - again liability is the key here, and again in no small amount due to the US legal system making precedent.
At no point should security be counter productive to work, with any and all resources required for the work flow made available. The use of facebook, twitter, pornography and other ‘entertainment’ could never be argued as increasing production in a work environment - if it is then there is a clear misinterpretation on my part as to what work is….
Regardless of the above, most systems do not allow the use of a VM or secured working environments on non company machines (including SSL kits), so the use of a company secured and supported VM on home users laptop - so being secured from the underlying operating system and subject to all the security requirements like SC etc etc - is already supported. And if an offices wanted to remove all desktop PC’s, provide server services only and VM’s, and use an open internet connection for all to SC from the VM machines into those servers then that meets the policy requirements.
On the other hand if a company can justify having personnel in the office, paying for their time and having no control over what they do or how they do it, then that raises considerably more questions about the management and operational efficiency of the company than the use of IT.
Let me know your thoughts, I am really interested in an outside perspective.
It's a Free Country... ...So why can't I pick the technology I use in the office?
By NICK WINGFIELD
Does this sound familiar?
At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department. Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.
At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space. And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet.
This is the double life many people lead: yesterday's technology for work, today's technology for everything else. The past decade has brought awesome innovations to the marketplace-Internet search, the iPhone, Twitter and so on-but consumers, not companies, embrace them first and with the most gusto.
Even more galling, especially to tech-savvy workers, is the nanny-state attitude of employers who block access to Web sites, lock down PCs so users can't install software and force employees to use clunky programs. Sure, IT departments had legitimate concerns in the past. Employees would blindly open emails from persons unknown or visit shady Web sites, bringing in malicious software that could crash the network. Then there were cost issues: It was a lot cheaper to get one-size-fits-all packages of middling hardware and software than to let people choose what they wanted.
But those arguments are getting weaker all the time. Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. "Virtual machine" software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.
Some forward-thinking companies are already giving employees more freedom to pick mobile phones, computers and applications for work-in some cases, they're even giving workers allowances to spend on outfitting themselves. The result, they've found, is more-productive employees. There's a reason professional chefs bring their own knives to work, rather than using a dull set of blades lying around the kitchen.
What Century Is This, Anyway?
For a look at how sharp the divide between work and home can be, consider my experience. The Wall Street Journal gives me a laptop with Windows XP, an operating system I found satisfying when it came out eight years ago but that lacks a lot of modern touches, like a speedy file-search function. My home computer, meanwhile, is a two-year-old iMac running the Leopard version of Apple's Macintosh operating system. Among other virtues, it's got a search function called Spotlight that lets me track down files in a flash.
Or take email. Please. There's a limit on how much email employees can store on the company's system, and I routinely bump into it. So, I need to spend time hunting through old notes in Microsoft Outlook and deciding what to keep and what to delete, or risk a shutdown of my account. I'm not the only one; a colleague told me she often receives messages with large attached files that overload her inbox while she's asleep. That means she can't receive any more mail until she gets into the office in the morning and cleans out her messages.
Limits like those are tough to swallow when you consider how generous free email services are. In nearly five years, for instance, I've used only about a quarter of the storage space in my personal Gmail account from Google Inc., despite almost never deleting messages. Furthermore, I can search for old Gmail messages almost instantaneously, while the search function in the email I use for work is painfully slow.
When they get fed up with work technologies, employees often become digital rogues, finding sneaky ways to use better tools that aren't sanctioned by the IT department. In my case, I've installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.
The Journal declined to comment on its policies. But even with the potential for productivity gains from newer technologies, it's tough for many enterprises to stomach the prohibitive costs of a companywide upgrade to the latest software and hardware, especially during the current economic downturn. Research firm Gartner Inc. estimates enterprises will cut technology purchases by 6.9% this year, which would be the biggest decline on record.
Furthermore, there are indirect costs connected with upgrades that give businesses an incentive to stick with battle-tested technologies, like the hassles of retraining workers and of dealing with buggy new products. In one example, many companies never bothered to upgrade to Microsoft's last version of its operating system, Windows Vista, in part because of technical issues with the software when it was first released.
Home-Field Advantage
It wasn't always this way. For years, the big breakthroughs in computing technology came in corporate IT departments and university computer labs. But that started to change as the cost of PCs plunged and they became fixtures in people's homes. Now consumers buy more PCs than businesses do-and the consumer market spurs the most interesting innovations.
Instant messaging reached the mainstream through America Online. Amazon.com Inc. used the technology behind its shopping site to become a pioneer in "cloud computing"-where businesses rent resources in Amazon data centers rather than running hardware and software on their own. Apple Inc.'s iPhone broke new ground in Web surfing and running applications on mobile phones.
The rise of the consumer market also means people have gotten a lot smarter when it comes to technology-and a lot less patient with substandard stuff at the office. Even with the weak economy, companies will find it harder to recruit savvy workers if they don't let them use their favored technology.
Some companies have decided the best solution is to start giving workers what they want. Until a couple of years ago, Kraft Foods Inc., the consumer-goods giant, had a rigid approach to workplace technology that was typical of many big companies: It locked down PCs so employees couldn't install software on their own, and it prevented them from accessing sites like YouTube and Facebook. When it came to hardware, Kraft offered a limited choice of smart phones and Windows PCs.
Executives began to worry that the company's technology policies were preventing employees from staying in step with trends. Kraft was a consumer company, they figured, so workers needed to be more familiar with the technologies that consumers were using, whether the iPhone or YouTube.
So, the IT department stopped blocking access to consumer Web sites, and the company started a stipend program for smart phones: Workers get an allowance every 18 months to buy a phone of their choosing. (Over 60% picked iPhones.) Kraft has also started a pilot program to let some of its employees pick their own computer. One catch: Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.
"The win for Kraft is employees are more productive if they use devices they're familiar with," says David Diedrich, vice president of information-systems technology, security and workplace services at Kraft.
A Brighter Tomorrow
The prospect of giving employees choice may be too frightening for some companies to contemplate, but there are ways of doing it without completely giving up control. Employers could require workers to sign agreements promising that they'll back up all their data and run the latest antivirus software and won't download pornography. Employers can also require workers to run all of their corporate applications inside a virtual machine on the computer, which seals company information off from everything else.
Still, financial-services companies, law firms and others may feel the need to maintain stricter control, for regulatory and legal reasons. Even some companies moving toward letting employees choose their own computers, like consumer-goods maker Unilever PLC, say the policy won't work for every employee inside a business. One reason: Many companies offering free choice ask workers to troubleshoot technical problems on their own, and some people simply aren't up to the task.
That said, many executives agree that change is in the air. Chris Turner, Unilever's chief technology officer, says the pressure to relax IT policies is bubbling up, especially from young employees. "They look at your standard corporate desktop and say, 'I can't work with that,' " Mr. Turner says. "If you can make it an attractive thing that they want to work with, that's a hugely powerful thing."
Apart from the internal politics the article itself contradicts itself and points out the very reasons corporate entities do block content - the legal issues in particular.
Many of the items noted are not blocked or controlled by us, those that are are limited directly as a result of the companies legal obligation and liability. In case you want to reply to Jerry the below covers most points;
Specifically;
Email storage - the comparison of work and home is not accurate as email use in work as a file transfer mechanism is not replicated on the home email account. This is en education issue more than IT, and any storage limitation on a mailbox is a local decision and not ours
Search engines (for files, email and internal web sites): The use of Windows desktop search or other search engines are not prevented - in fact I use the Windows Search extensively. Again this is a local IT decision. The central web sites as you know use Google devices so this is not relevant.
Web site access: restrictions here are a result of a legal obligation the company has to reduce its liability. The company is liable for content downloaded, including software license issues and illegal content (and I have a recent example of the result of not doing that should it be required, with a letter from the BSA threatening a $250,000 fine for illegal software download), this issue is not related to consumer choice or otherwise, it is a legal obligation, and due in no small part to precedents set in the US legal system.
Email links to web sites: Despite the readers comment and assumption most are aware of the scams etc that point a user at virus infected sites, the fact remains that many still fall for it and there are several million infected web sites out there that will take advantage of any lack of patching or user permissions to infect, leading onto;
The general level of IT knowledge: Although there is a suggestion that the level if IT knowledge now is higher, the level of knowledge is still extremely low compared to the level at which the threat comes from. Take a survey of personnel and ask them who knows how DOWNNAD works, how ports and protocols work, how permissions work etc etc. The list goes on and demonstrates the differential between the average user and threat, and why there has to be controls and systems in place to mitigate that differential.
Virtual machines: The liability incurred by a company is not mitigated by using a VM on a machine if that machine is owned by the company.
Instant messaging is supported as are many other services listed in the article.
Smart phones: the support is limited by the features and functionality. With the iPhone in particular there are also legal issues with ownership and usage of media on company hardware, or is personal the use and storage of company confidential information on non company hardware - again liability is the key here, and again in no small amount due to the US legal system making precedent.
At no point should security be counter productive to work, with any and all resources required for the work flow made available. The use of facebook, twitter, pornography and other ‘entertainment’ could never be argued as increasing production in a work environment - if it is then there is a clear misinterpretation on my part as to what work is….
Regardless of the above, most systems do not allow the use of a VM or secured working environments on non company machines (including SSL kits), so the use of a company secured and supported VM on home users laptop - so being secured from the underlying operating system and subject to all the security requirements like SC etc etc - is already supported. And if an offices wanted to remove all desktop PC’s, provide server services only and VM’s, and use an open internet connection for all to SC from the VM machines into those servers then that meets the policy requirements.
On the other hand if a company can justify having personnel in the office, paying for their time and having no control over what they do or how they do it, then that raises considerably more questions about the management and operational efficiency of the company than the use of IT.