It seems we should start with the great elephant in the living room: User rights. I have done work in literally hundreds of organizations from 50 nodes out to 550,000 nodes in the last 14 years. The arguments both in favor of and against varying degree of user rights are consistent. They are also crap.
For each case of a user is screaming they need Administrative rights to something and the use is legitimate there are twenty that just want rights because they have always had them. We as administrators know this to be true but don’t want to have the political battle. It is easier to grant exceptions and rights.
Paradoxically the number of security technologies we deploy that are bizarrely draconian and don’t really address the issue is quite large. Many instances of NAC, DLP and HIPS are like this. We lock down the things that don’t matter and leave the barn door open.
Individual data resource users are like people voting for speed limits in the neighborhood the live in. They want everyone else to obey the rules… but somehow each user feels they are the exception... And each user feels that they are the one that ‘knows better’ and will be ok if they speed. This is identical to the logic of installing of ITunes or Angry Birds on a work PC.
We as the managers of the information kingdom have been guilty of not towing the line again and again on our own security policies. In virtually every case I have ever been, small companies and large, we are making exceptions to every policy for squeaky-wheel users before the ink is dry on the new policy. I am sure all of us have seen the virus outbreak or the penetration that “just got in somehow” and after an expensive and disruptive cleanup we still do not tighten up the policies as it is a political hotbed and a difficult piece of administration.
An aggravating factor is the disappearance of the gateway. There are tens of millions of smart phones out there with tethering or the similar, everyone has their own private internet access point if we make things too tough. If we, as IT security, make things too difficult on the users to do what (each user) considers reasonable they will hack around us… android and apple have made it all so easy.
We are in the brave new year 2011. The soft cost of a breach can be enough to end a company. We have all seen it happen
We must start treating our IT resources with the respect we do our buildings. No sane facilities administrator would throw open the doors on Superbowl Sunday for the employees to have a party. We trust them because they are our employees, Right? No facilities administrator would want to be cleaning the guacamole off the ceiling.
We do not need to be the hated PC Nazis to be secure, but we do need to stop kidding ourselves. Using technology like application whitelisting or VDI we can strike a balance. Allow users to install certified apps, or on a host PC but not on a VDI or ACE.
The problem about user rights is that it is not about rights at all. It is about users feeling comfortable with the way we have made them secure. It is a neat balancing act but a very achievable one if we have vision and focus to do so.
This leads to the next topic on how we are killing ourselves with applying old process to new products and information systems and are the root of our own issues…. But that is for next time.
