On Tech Republic's "The 6 Consumer Technologies that are Destroying IT" article...
By davew on Jan 21, 2008
A copy of this article arrived as part of our internal weekly e-newsletter the week before last (and yes, I have been that busy); I would provide a pointer to it, but for some reason I can't seem to find it on http://www.techrepublic.com/. Nonetheless, I believe it merits comment; I hope TechRepublic don't mind me quoting the article (with HTML blockquote tags) in full.
Consumerization: The IT Civil War. If this really is a war, I think it’s fair to say that IT is losing. Many users are circumventing IT by using widely available technologies such as Yahoo Messenger, Gmail, USB drives, and BlackBerry phones to help them accomplish their tasks at work. The practice is so common that The Wall Street Journal has even published an entire article aimed at helping business users circumvent their own IT departments. I wrote a diatribe about how irresponsible it was for WSJ to publish that article, but that does not diminish the fact that this is happening everywhere and IT has become virtually powerless to stop it. “It’s almost become a sport for users to vilify IT.” – Jeff Comport Gartner Analyst Jeff Comport, said, “There’s a reason people are trying to use this kind of technology and very often it’s to do their jobs better… We have IT very often coming from a world of budgets, controls, and projects, and they have spent their lives keeping this kind of stuff out.” As a result, “It’s almost become a sport for users to vilify IT,” said Comport. Let’s take a look at the six consumer technologies that are causing IT the most trouble and then consider what IT can do to turn around a situation that is quickly going from bad to worse in many places. 6. Instant messaging software Whether it is Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Skype, Google Talk, or a variety of other IM clients, the fact is that instant messaging has spread to the point that as many as 20% of business users or more are now running it at work. Those are U.S. stats. The percentage is higher in Asia and far higher among younger workers everywhere. Users typically install the software themselves, often against IT policy. Most of the IM clients send data unencrypted so even two workers in the same company and on the same network can end up sending corporate secrets out onto the Internet for any hacker to sniff. There’s also the issue of IM file transfers that can introduce files that have not been scanned by antivirus software. However, IM can also be a good thing. It can relieve e-mail inboxes from worthless chatter and it can help users quickly locate colleagues to solve timely problems. And there are enterprise options from Skype, Microsoft, and others that are making IM much easier for IT to regulate and standardize.I also believe IM is A Good Thing; I use it myself, on a regular basis (invariably with OTR, when discussing interesting security things with colleagues, even when such discussions are over our internal network).
Granted, IM can be a double-edged sword; having both internal and external contacts available through the same IM interface, is a security risk; it's all too easy to accidentally paste something into a chat session with someone outside the company, which should instead have been pasted to somewhere inside the company. Here's where Trusted Extensions ("TX") comes into its own; even if, as an organisation, you're not up for doing a major data classification exercise, you could nonetheless have just two labels (call them PUBLIC and INTERNAL, or EXTERNAL and INTERNAL, it makes no difference) such that INTERNAL strictly dominates EXTERNAL (or PUBLIC). If you then - as the norm - run an internal IM instance for internal contacts and an external one for external contacts, give users the privilege in /etc/user_attr to copy and paste data "upwards" in sensitivity but not "downwards", then they can still bring data in from the world at large, but data inside the organisation, stays there. Where internal communications prompt the need to look for something out in the world at large, Glenn Faden has an elegant solution prototyped.
For folk who have legitimate need to move data from INTERNAL to PUBLIC - a corporate press officer would need to do this as part of the process of making a press release, for example - then a role could be created in RBAC such that the officer would assume the role,
5. Personal smartphones Now that BlackBerry phones, Palm Treos, and Windows-based phones are priced as low as $200 by many of the big cellular carriers, lots of users who don’t have a spiffy company smartphone are just going out and buying one of their own. Many of them have figured out how to forward their business e-mail to their personal smartphones, which opens up a ton of privacy, regulatory, and security issues. There are secure ways for IT departments to handle this. Turning a blind eye or trying to block it are not valid options.
Owing to Blackberry's data propagation mechanism (via RIM, with a state machine such that a man-in-the-middle attack could be perpetrated), their use is rightly prohibited within Sun.
TX comes in use here, too; as the INTERNAL-labelled network isn't connected to the Internet, from its perspective, forwarding email from it to smartphones is going to be "very much less than straightforward" :-). For email on the PUBLIC network, email forwarding to mobile devices is a technology which could potentially be embraced within both policy and practice.
Of course, the world is not usually this straightforward and may require some finessing within the labelling scheme; PARTNER and (potentially) CUSTOMER could potentially be inserted as labels between PUBLIC and INTERNAL, such that data associated with these classes of organisation may be forwarded where policy permits.
4. BitTorrent and P2P Transferring big files is very difficult for most users. E-mail policies usually restrict it. FTP is too slow and often too difficult to configure (and sometimes even blocked by firewalls). IM clients are clunky and often fail at file transfers (usually blocked by firewalls). That’s why some users will turn to P2P programs such as BitTorrent, because they are much more effective. Unfortunately, these programs can also have a lot baggage since they are regularly used for hosting and transferring illegal music and video files. That doesn’t mean IT should necessarily abandon P2P software altogether. It can often prove extremely useful and efficient. For example, Collanos software can be used for sharing and collaborating on documents between various users in a team or workgroup.
I've had the "email thresholds too low, ftp (and sftp, as part of ssh) blocked, IM file xfer fail" issue before now, and my normal approach in these circumstances is either to use split to divide data into small enough chunks that they can be emailed as several parts, or to burn stuff to CDs and either put them in the post, or take them to the customer by hand.
If folk need to transfer stuff which takes more than 5 such emails, then they either have an overly-Draconian email policy, or excessvely low bandwidth or absolute transfer size limits from their network service provider.
Of course, TX also prevents folk sharing stuff via these mechanisms, that they shouldn't :-).
3. Web mail with GB of storage Another method that users often employ to transfer large company files is with a consumer e-mail account, such as Gmail, Yahoo Mail, and Hotmail, which all have much larger storage capacity and allow larger file attachments than most corporate mail accounts. The problem is that not only are these systems far less secure than corporate mail servers, but many of them thoroughly index messages and files and so sensitive corporate data transfered through these mail systems can get spread throughout lots of different servers and search indexes. New Windows storage technologies that do not save multiple copies of the same file can help IT deal with the e-mail storage issue and allow IT administrators to expand storage limits for users. There are also new Exchange plug-ins, such as Mimosa, that offload all attachments from messages and store them separately to streamline inboxes and allow IT to increase quotas.
Hear, Hear, TechRepublic; if you haven't already seen my pal Alec's recent talk incorporating his thoughts on this and other subjects, it's worth a watch. For folk in my position, who find it useful be able to make VMWare images of Solaris with Trusted Extensions configured, available for internal download, a home directory of anything less than 20 gigabytes just doesn't cut it.
Also, for what it's worth, our messaging server hasn't been saving multiple copies of the same file, for as long as I can remember; it looks like Exchange just hit on something we've been doing for nigh on a decade ;-).
Naturally, TX will stop people putting internal stuff on external systems, as above...
2. Rogue wireless access points It’s a wireless world in home networking now. Users who see how easy it is to connect a router to their DSL or cable modem and roam the house wonder why they can’t just do the same thing when they take their laptop from their cubicle to the conference room. If the company doesn’t offer wireless LAN access in their office, many of them just get sub-$100 wireless access points, plug into their Ethernet jack at work, and start roaming the building. Of course, if their desk is at the window next to the parking lot, they don’t realize that they just provided anyone who drives up with a free Internet connection and easy access to the corporate network. IT departments can follow best practices (see TechRepublic’s ultimate guide to enterprise wireless LAN security) to establish their own secure wireless LAN, or they can use products like Xirrus to simplify secure wireless deployments. They can also educate users and use intrusion prevention software to scan for rogue access points.
Not in my home, it isn't.
The best way to do campus / office wireless, is to provide encrypted access direct to the Internet; if folk need to access the intranet they can VPN back in (ensure the keys are only in the INTERNAL keystore), and encryption (even if it's something as trivial to crack as WEP) can at least inconvenience a Bad Guy and ensure that anyone who busts in for general access, actually is provably a Bad Guy.
Of course, the best way to prevent rogue access points springing up, is to install sufficient non-rogue ones that the users feel no need to install access points of their own :-).
1. USB flash drives Portable storage is nothing new. Twenty years ago, users were carrying around floppy discs full of files. However, the size of those old floppy discs limited the amount of data that users could take out of the company. Today, with 4-GB USB flash drives costing $40 or less (and flash drives as large as 64 GB now on the market), users can copy all of their My Documents files to a flash drive and walk out the door with them. Or a user could copy a huge chunk of a file server and walk out with it on an unencrypted USB drive.
As a Geek Of A Certain Age, I consider personal email and occasional personal web browsing (news.bbc.co.uk, various security sites and blogs, occasional oddities), via the corporate network to be "perks of the job". Having a nice hosted blog is a perk, too.
if Alec (and the originator of this idea, JP Rangaswami) are to be believed, the geeks who are entering the job market now, will consider it a perk of the job to be able to plug their iPods into their office desktops and fire up iTunes. In fact, if they can't do this, it's reckoned they'll be reluctant to work for you.
So, let them - at PUBLIC.In fact, ensure that there's a little bit of infrastructure at PUBLIC for them to get to and run iTunes on, use as their temporary file springboard to get stuff to Flickr, etc. Of course, it may be necessary to have this bit of infrastructure automagically rebuild itself from time to time, so ensure the users know to download stuff to their iPods, etc in safe time windows. Let them mount USB sticks, digital cameras, etc at PUBLIC, deny them the privilege to do so at INTERNAL, and pragmatically, you're doing OK.
Users need to be able to easily transport their files in order to work from home or on the road, transfer documents to partners, etc. IT has to find ways to make it simple for users to do this while also protecting sensitive corporate data. For example, an IT department could educate users about flash drive security, provide encryption software for those who need to use flash drives, or simply provide company-sanctioned flash drives that are preconfigured with encryption and other security standards. The cost of the flash drives would be much cheaper than the legal fees and/or fines of dealing with customer data that slipped into the wrong hands.Cue Flagstone and T10000 tape drives for really sensitive stuff (or large aggregations of notionally less sensitive stuff), and the likes of ZFS crypto and FileVault for more general day-to-day things.
What will come of all this? Gartner Analyst Stephen Prentice said, “The critical thing to understand is that your employees are not doing any of these things … to be awkward. They’re not doing it because they’re trying to break security. They’re simply trying to get their job done… The approach has be to not go in there and stop them from doing it. Go in there and find what constraint have you put in their way that’s forcing them to do something that is out of your control, and then fix your problem. If you gave people the option of using an in-house, secure, controlled environment that meets all of their needs, they simply aren’t going to have the need to go outside. If you fail to give them that — if you give them restrictions that are unreasonable or stop them doing their job effectively — then they will find another way.” Gartner Fellow David Mitchell Smith added, “If rogue users start to see some flexibility on the part of the IT department — some genuine interest in wanting to provide what they need — they may be more open to go to them first and say ‘Can you help us provide this,’ as opposed to just going out and doing it. [They could] be part of the solution, instead of part of the problem. But long term, there’s this unstoppable force which is demographics. New people are coming into the workforce, in IT and in non-IT functions, and they are becoming more open-minded and having more and more of an impact. Over time it’s pretty inevitable that the trend is moving toward the more open way of doing things. It’s just a matter of how long it takes and how well it fits into the culture of each organization.” Ultimately, this “civil war” is merely a sign of two larger problems that IT must address: 1.) There are lot of IT departments that have policies and attitudes that are stuck in a time warp. The procedures that allowed IT to deploy important technologies while protecting users from themselves are no longer valid in a world where individual users often have newer and more advanced technologies in their homes than the IT department has in the office. IT is now entering into more of partnership with users, and policies and attitudes need to reflect that. 2.) There’s a general disconnect and lack of constructive communications between many IT departments and their users. IT departments need to view themselves as customer service organizations, with their users being their primary customers. IT departments have got to lose their paternalistic approach to users and focus their efforts around serving users and enabling them to become more productive. The IT departments that make these changes will thrive. The ones that don’t will see their role within the organization diminished and become prime targets for outsourcing.
This isn't the first place I've seen this - Alec hit it first, AFAIK - but it's worth commenting on.