Slashdot Mirror
Don't Network Administrators Require Privacy?
An anonymous reader writes to tell us that Recently their company has decided to move the IT staff out of their offices to make room for the Service Department. The move has placed the IT staff in cubicles that all face inward and lack, obviously, the ability to lock their doors at night. This is, to them, an obvious breach in security and privacy for what may be sensitive network information. Have any other Slashdot readers dealt with this sort of problem before? If so, what specific information was best suited to rectify these security concerns?
Quit trying to make up bogus reasons as to why you don't want to be in a cube and just tell your boss, "I don't want to be in a cube." If it's a dealbreaker for you, resign. Next they'll be moving you down into the basement and taking away your red stapler.
The obvious answer is simply to wage war against any other units in the business that oppose your using that private space, or plans for world domination for instance. I saw it in a dilbert comic once, they have never steered me wrong before.
Happy Noodle Boy says "F###ing doughnut! Mock me? You fried cyclops!!"
We ran into a similar issue at work. Our argument to keep our locked office was that since we have access to all the files on the network, under the HIPPA laws we're required to keep our workstations in a secured area like HR since confidential employee information could potentially be displayed on our screens. Don't know if it's true or not, but it let us keep our office.
Where I am now til the buildout was finished for our offices (cubes in a lockable room), my desk was at the end of a hallway in a little nook area across from the CFO's office. I got really sick of being mistaken for his secretary, and I had to have my workstation lock after a minute of idle time because it was so public. Blech.
So, poster, it could ALWAYS be worse.
If you behave well, i.e. no sensitive information on your workstation (it shouldn't be there), and lock or turn off your workstation, the danger is a large as having any active network port accesible.
This sounds like a flimsy excuse to ask for a private office. If your network administrator needs to work in a locked room all day, your network is not secure enough!
Passwords should not be found on post-it notes stuck to your monitor, nor should they be saved on your computer, anywhere. Don't keep them in text files, emails, IM history, cookies, etc. Passwords should be memorized or written down in your wallet, or better yet, your company should implement a security token system and do away with static passwords. Any sensitive data which has to be stored should be encrypted. Any workstations or servers at your desk should be locked when you walk away.
Shoulder-surfing for passwords is extremely hard. Try it sometime: at 80 WPM or more, it's virtually impossible to follow and remember every keystroke, especially while trying to be inconspicuous. As for keyloggers, server theft and more serious security breaches, these should be dealt with proactively at a lower level. Screen potential employees carefully, and keep security cameras rolling throughout the office to discourage suspicious behavior.
domain combinatorics
Seriously, boo hoo. I don't mean to be a jerk, but BFD. Virtually every cubicle I've ever seen has drawers and cabinets that lock, and if you're a network admin you probably have a laptop anyways right? If you read your disaster recovery or even security plan (if you've got one) you'll probably find that all staff who have laptops are supposed to bring them home.
Could someone look over your shoulder? I guess... but there are people out there (like say, me, or employees at any other benefits outsourcing company) that have access to literally thousands or even millions of people's date of birth, SSN, etc etc. We get along just fine, so will you.
I mean, sucks you lost your office... I remember mine, it was nice.
Actuaries - making accountants look interesting since 1949
Where I work we have the same situation. However all of IT (security, network and so on) is in the same office area. In order to secure the area they just put up a wall and secure card access. That way the only people in there are the IT people. If you can't trust your IT staff, than they don't have any business being your IT staff. That way the risk is still there, but you don't have anyone other than IT in the area to begin with.
That's all it takes to secure it, provided your building is reasonably secure... as I would *hope* that anything that required locks and not just passwords would be in a secure data center elsewhere. I guess you could request a safe or something if cabinents were insufficent.
It seems like the larger issue is being evicted for the "Service Department". They're the ones that should be in cubes, but that's another story.
I happen to be a network admin who sits out in the open.
It's not that big of a deal, but I guess I don't sit there looking at confidential passwords all day long!
I do, however, always lock my computer when I get up (xscreensaver...ctrlaltdel). That seems sufficient to me.
Oh! And I don't leave sensitive information sitting out on my desk, either.
Everything I need to know about copyrights I learned from Slashdot.
Bullshit. Once you have physical access to the PC you can compromise it.
"sensitive network information."
Uhuh. Would this sensitive network information be the log of all those websites you network admins visited last month, and that copy of Quake 4 you installed on the Company Mail Server?
Just because you guys are the only ones who have access to the firewall logs doesn't mean we don't know what you get up to.
Draw up a budget proposal for whatever locking file cabinets, secure equipment cabinets, Kensington locks (better than nothing...) and desktop security software that you'll need to ensure the security and functionality of your information systems. Keep in mind that this includes not only malicious snoopers but also cleaning staff that snag cables with their vacuum cleaners, and take whatever precautions are necessary.
Be thorough, but don't make stuff up. Don't make it a turf war, just make it clear that you're working to protect the systems that you're responsible.
Come up with this proposal, and an estimate of the costs, and request that Accounting begin soliciting bids from vendors. And then lightly suggest that this would not be necessary if you could have good locking offices.
Keep in mind, though, that private offices are only effective if they are truly private. If they're not always proerly locked, or if too many people have the keys, then you'll be the worst kind of office hypocrite.
All our IT group works in one room. Out front there's desks for our students to filter incomming people and deal with low level requests. There's also a big workbench down one side for systems we are fiddling with. Then in the back there's two cube partitions that hold the 4 staff. Two desks per partition, facing each other.
Know what? I actually like it. We have almost no staff meetings and part of the reason is we are all there and can talk to each other as needed. In fact usually we work with at least one headphone off so we can hear what's going on and stay informed. If someone is doing something that needs a lot of concentration, headphones go on and they get left alone.
It works really well, and means there's one central location people go to for computer support.
As for privacy, from what? Anything remotely private isn't in my desk, it's on my computer. Well, we all have root so we can all get in to each other's shit if we want. The room itself locks to keep others out at night, of course, but as for my coworkers, well if I can't trust them to not mess with my stuff, they probably shouldn't be employed anyhow. Any of us could, if we wanted, wreak massive havok having the root password to all servers, the enable password to all switches, etc.
Sounds like just so much whining to me.
Whether or not this is correct, you should organize a demonstration of how easy it is to:
Of course, invite everyone who is someone in the company to this demo, including people like the CEO and CFO. In short, people who care about data security.
And whatever you do, keep a paper trail, by sending emails to the power-that-be, keeping a paper copy, and be as courteous and professional as can be, while being firm that this situation is unnaceptable. Please remember that these are probably not technical people. But they will understand that some data should stay inside...
Just my 0.02 US$ here of course, IANAL, but I am a sysadmin.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
But now they really can't paste the company passwords on their monitors.
[Unfortunately, not entirely a joke. It seemed to have poisoned our department relations with IT when I once visited the server room and I questioned why our server and Oracle database passwords were sitting next to our server.]
I guess I'm naive too. I don't see where this should be so difficult with server room security, desk locks and some hardware security: hardware lock-down, no cd boot, BIOS password. If the janitor is going to remove your hard drive or jimmy your desk lock, you probably do need a better overall corporate security plan.
The "secure your computer" idea is obvious enough. There are other subtle problems though.
The "looking over your shoulder" problem is more difficult to deal with than you might think. More than once I've had issues with users stalking up behind me and reading my screen before I even knew they were there. (the really rude ones ask questions about what they've read) I could be doing any number of sensitive things - sending someone an email discussing the layoffs that are scheduled for next week, chatting with someone sending them their new account password, drafting a memo to someone outlining new security policy... posting the new router passwords on a secure filestore... any of these and more could be serious breaches of security and privacy if observed by the wrong people, and as another poster mentioned, could violate state or federal laws.
It's really a design problem to set up a cubicle where the user faces away from their door. For one, they can either look at their visitor OR their computer, but not both. I always prefer looking at my monitor, and then off to its side to see my guest. This also allows me to look up information for them without having to turn my back on them. Intelligent cubicle design has the desk on the left or right of the doorway, not opposite it. If your desk is opposite your cubicle doorway, tell your HR to get a clue. The best cubicle design is of course to have to walk around your desk and sit down, facing the doorway as well as your monitor, but I'll recognize that not every company has the space or the funds for such large cubicles.
As for physical security, that's another matter in itself. The best design is of course to have every computer imaged identically, with network login and home folder, and to allow no one to store their own information on the local hard drive. This seldom goes completely followed, and all sorts of things wind up on the local drives. Besides being a backup risk, anyone with physical access when you are away from your cubicle can rummage through your hard drive. Some I.T. are paranoid even of the nighttime janitors and clean the I.T. room themselves so they don't have to give out another key. But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.
And of course if the fileserver is in your cubicle with you, that opens up a whole new can of worms. (and if not, why is your office away from the server room?) On that note I will say one thing I am against... leaving the server with an account logged in on it. I see that where I work sometimes, and it bothers me. I like that extra layer of security on top of physical security, and knowing someone with a key can play with the server is not my idea of a Good Thing(tm).
I work for the Department of Redundancy Department.
We will revolt and without us the worlds infrastructure will collapse!!!
We will revolt until our spouses scream "Go out and get a damned job already you lazy, good for nothing loser!"
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
Again, on Dilberts advice... You should probably hum west side story and have a dance fight.
The Internet is full. Go Away!!!
"shit, some exec nicked my office and I was put in a cubicle instead"
Which actualy, I see as a legitimate complaint. An office has a certain kudos, so being forced out does mean an effective (albeit small) demotion. Maybe not a major deal, but certainly something that would justify complaint.
Andy Grove had a cube too. Quit yer bitching.
sulli
RTFJ.
This is a political argument, and you already lost. Ho hum.
I have no such problem, since, as sysadmin, I am the only person in our office who can work Visio, and consequently I am the person who draws all the floor plans when we rearrange the office.
~~~~~ BigLig2? You mean there's another one of me?
1. Don't write down passwords.
2. Lock up sensetive information.
3. Have a wild cougar patrol the datacenter at night.
I have a utility on a floppy disk that allows you to reset the admin password on any Windows box. A google search, 1 floppy disk and 10 minutes of physical access to a PC is all someone needs to rape a Windows box.
Death is lighter than a feather, Duty heavier than a mountain.
More than once I've had issues with users stalking up behind me and reading my screen before I even knew they were there.
Get a privacy screen for the monitor. They blur the screen to anyone more than a foot or so away from the monitor and they work. Drives me nuts to work on a computer with one on it because if I move my head to far I think I'm having eye problems.
I'm a Network Administrator for a very large corporation and I found myself in the very same situation.
I had my own private office, however a request was made by Human Resources for the construction of new offices for their own use. Rather than the $10,000 price tag, I _requested_ that I transfer out to the cubicles on our main floor. Basically, it was a decision I made for the benefit of the company.
I find that no one really _needs_ private offices, unless they participate in confidential conversations. HR, for example. But really, couldn't offices or boardrooms be booked for those type of activities?
Once I was out on the floor, it was very simple to establish security. My main system was placed in a physically secured location (data centre) and I remotely accessed the PC via secure connection.
You have to understand that nothing is really secure. I ran it like a bank - it could be hacked, but I wanted to catch the person afterwords. Everything on the remote PC and local PC was logged and I also trained security cameras (inexpensive purchase for a 2 week DVR) on their locations.
Also, you can install privacy screens on the front of your monitor so that only the person sitting directly in front of it can see the desktop. They also help with glare.
I find it much more enjoyable with the rest of the team now. Having a private office can be rather lonely for managers sometimes.
I'll go ahead and give you a little.
I'm a network admin and not only am I part of the small percentage in our company that has an office, I'm part of an even smaller percentage that has a locking door. For me, it might not be completely necessary but it's desired for 3 reasons:
1) Work space - At any one time I might be working on 2 or 3 laptops and desktops while loading a server or configuring a router, etc. I need the space to set it all up. I have a counter top that runs along 2.5 walls of my office and a long table on the blank wall and it's all often occupied. My office doubles as my shop/lab.
2) Security - I have stacks of laptops, hard drives, routers, switches, etc. stored in my office and with our growth, more coming in every day. It's not that someone couldn't steal this stuff from elsewhere in our facilies, it's just that it's much easier to get to in my office. No unplugging, unbolting, etc. Just grab a stack of laptops and go. I've seen cabinets mentioned in other posts but I have too much stuff going on and if I was in one of our cubes I'd be lucky to fit 1 cabinet.
3) Peace and quiet - Between the useless chatter, relentless phone calls, streaming music and other noises, I can hardly hear myself think out there (cube world). Not to mention the drive through questions. Everybody and their little brother feels the need to stop by my office and ask a question on their way by. I don't mind it all the time. In fact I'm quite sociable, open and helpful but when I'm troubleshooting a tough problem or working on a project I just don't like to be disturbed. I generally deal with user issues in the morning and work on projects in the afternoon and evening. After lunch, when I close my door, everyone knows not to come knockin unless their problem is preventing them from completing their work.
That's my 47 cents.
MG
Bullshit. Once you have physical access to the PC you can compromise it.
."
Actually, with almost almost any type of access to a PC you can compromise it.
That's something that good network administrators acknowledge and deal with.
If a network administrator is unable to secure his own box relatively well (no network PC is ever 100% secure), why the %^&* would I trust him to secure a network? A good first defense barrier for an administrative PC in a cubicle environment is to flag those cubicles with a warning " With the exception of PHB's X, Y, and Z, anyone found in this cubicle when the employee who uses it is absent will be TERMINATED
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
I'm much more concerned about a network admin that flaunts sensitive information as a rebuttal because he doesn't want to be moved into a cubicle, than I am about network information hidden by a cubicle wall rather than a more classical solid version of a wall. Your "bricks-and-mortar" walls are redundant in a virtual world, and so are the more limited cubicle versions. Simple suggestion: lock or log-off your terminal and turn the screen away from the cubicle opening. Now how tough was that? .... oh, the problem is you're still in a cubicle? Well most of the people around you are too; start a self-help group with the other people if it bothers you. This article isn't about security ... it's about cubicles and a whiner for crying out loud!
ROT-13 isn't secure enough these days given the massive ammount of computing power at everyones fingertips. Double or even quad ROT-13 encoding is usually enough these days.
Don't anthropomorphize computers, they don't like it.
1) Find the CFO's home directory.
2) Open up the salaries Excel doc.
3) Scroll to the execs - most likely at the top anyway.
4) Set your screensaver firmly to the off position.
5) Get permission from your boss to leave early.
Do NOT think that those locks are security in anything but name. They exist solely to satisfy insurance companies that you "lock" things up.
Actually, that's not why those cheap locks exist. They are there so that people don't have to put up "don't open this even if you're just looking for a stapler" notices all over the place.
The common bathroom lock is a good example. It's easily bypassed because it's not there to seriously defend the bathroom. It's there as a "this is off-limits for the time being" notice.
This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
Privacy is important to any real network admin / computer support person. Not only do we often has information up on our monitors that would compromise security if it was viewed by others, many of the phone conversations involved in resolving problems also contain information that may be sensitive. Someone close to my desk could pick up IP address, Router information, Type, model and OS version on our firewalls. For instance, we had a video conference with our manager on Friday regarding the implementation of the patches to our Cisco routers and whether it had to be done this weekend. He asked for the router passwords over the phone...his opinion is that EMail is unsafe. Then there is the other type of work we do. For example, I was working on a report last week that basically involved some deep data mining of our health plan over the last five years. The benefits person, a sweet young thing of 55 going on 2000 was asking me how to take the data and apply various scenarios to it - such as increasing the employee contributions, reducing maximum payouts and removing some coverages. Its obvious from our conversation and from the data that cuts are going to be made. This sort of stuff is not something management wants to be public. Wednesday, I had to recover about 100 EMails for our Human Resources person. Some of them included questions about Employee evaluations. Some companies may not ever have their Net Admins talk on the phone or use their monitors to work on but we sure do.
It could be far worse....just be happy they didn't hire someone in New Delhi to administer your servers.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
You are asking about privacy, not about the limited access of specific company-owned information.
You are NOT entitled to privacy in the workplace. You are entitled to limit access to your work materials to those employees that have the need to know.
Two completely different concepts.
You can run IT from a cubicle, there is nothing terrible about that. If you are going to type in a password, look over your shoulder and make sure nobody is watching you. Access to the machine itself is no issue since you are not going to put your servers in your own office, they go to their own room. If you were running all the servers from your office then you are not as smart as you think you are.
Regardless of server OS, you can manage it from anywhere, there is no need to be sitting in front of the damn machine.
As for privacy, when you signed your offer letter and you agreed to follow company guidelines, you pretty much signed away any hope of privacy in the workplace. The boss can listen to your phone calls, can read your mail and read your paperwork. Yes, your boss can read your personal email if you are trying to read it from your workstation at the office. It is the company's computer and you are using the company's resources for personal reasons.
Now, say you are a programmer or a DBA, then you need a bit more shielding from prying eyes. But the plain IT folks? Nah, they can sit outside like everyone else.
Pedro
----
The Insomniac Coder
if you've got cube-space (some do, some don't), consider rearranging so the monitor faces away from the entryway. Those sneaky users might be be able to evade your headphone/carpet-obscured hearing, but they damned sure won't get far enough to see what's on your screen without you seeing them coming well in advance.
Of course, then there's the guy on the other side of the back wall, or on the side walls. But a big hutch and a couple plants should keep that from being an issue as well.
How about this: Late at night, I come in to work - notice that you are not at your desk, and attach a hardware keyboard sniffer to your keyboard. A few days later, I mosy over and disconnect it.
What do I have at that point? Enough info for a serious carreer boost!
while (sig==sig) sig=!sig;
Not to make you sound stupid, but those locks on most file cabinets, desk drawers etc are complete and utter shit.
They use disk tumblers instead of pins like the lock in your house and can be consistently opened with a bent piece of stiff wire.
Do NOT think that those locks are security in anything but name. They exist solely to satisfy insurance companies that you "lock" things up.
Really?? Oh dude! I better take the Caramilk secret out of there then!
Actuaries - making accountants look interesting since 1949
" With the exception of PHB's X, Y, and Z, anyone found in this cubicle when the employee who uses it is absent will be TERMINATED ."
And that accomplishes nothing. It's just like taking guns away from people who want to own them legally. People who read that sign and abide me it, much like people who properly purchase firearms, are not the ones you need to worry about. Frankly, I don't even know what an "administrative PC" is anyway. My laptop can be an administrative device wherever I take it. This is why you use things like one time passwords and carefully protected SSH keys for security.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
Nice post.
> But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.
I disagree. I think your colleagues are making a very prudent move by cleaning those rooms themselves. It's not about trust, it's about money. A janitorial position is simply not worth passing up a hefty bribe.
Fun example: My sister went to school in Ghana for a year. Going price for a human to do menial labor is about $5/month (or something like that,) so the school kept four people watching the international dorm 24/7. Going price to get into the international dorm: about $20. After a "break-in" the guards get fired, take a paid month off, find another shitty job. The burgler gets a laptop to fence. Everyone's happy.
Now, if the school had one person on duty 24/7, and that person was making $20/month, then that person might start valueing the job over bribes. Job security in a position paying 4x what you could get anywhere else is worth a lot more than one month's pay.
Even ignoring the difference in salary, an IT person has a lot invested in their career that a janitor does not. So they're going to be intrinsically much harder to bribe. Even if you get a dishonest one.
What are you in, marketing? You ever hear of key loggers ya horse's arse? Do you understand that physical access to a system is practically system ownership, irrespective of what operating system you're running? Give me physical access to your network admin's box and I will own your organisations data.
A network administrator holds the keys to the kingdom in any environment where information is valuable. Meaning, if you're in an environment developing any type of IP which you don't want your competitors knowing about, you better treat your network admin as you would your personal body guard, because that is what he is in that scenario. Industriable espioniage is real. It happens. Having some fracknut in your organization who read 2 copies of 2600 and wants to be a hacker, is real. That happens. Key loggers are trivial to obtain and use. That happens. Booting a system through an alternative means and futzing with the info on the harddrive is real, that happens.
If your organization's information is valuable, then your information security strategy had better include physical security and not just some idiots idea of "oh just log out of the machine and you'll be fine you stupid retard."
Dumbest Slashdot Reply. Ever.
You can get an equivalent tool in most auto-supply stores -- the kind you're supposed to stick in a corner of your side mirrors to give you a wider field of view. Once it's on your monitor, any movement in it (signaling an approaching surfer) catches your attention.
Read the best of all of Slash: seenonslash.com
Just rock it old school. Place a motion detector with a light, just like people put on their homes near the driveway, facing your office door. Keep your office dark (you do anyway right?) and when people walk in, boom, you're hit with a 100W floodlamp. No amount of sneaky walking defeats that.
Failing that you can rig the motion sensor to a pair of wires, wire it to a steel-framed chair you sit in, and have it shock you when they walk in. Even better, wire the door handle on your office with it, then you'll hear them yell every time they open the door.
I haven't had an "office" of my own for a few years. I express the need every so often and I'm actually getting space for one now. But that didn't come about for any reason other than my boss getting tired of hearing about it.
All of the documentation for our dispatch center has been stored in a bookshelf within dispatch. That's a controlled area but the dispatchers can all view it. As I predicted, one of the dispatchers did dig through it and made copies of certain documents. She then supplied those documents to one of the deputies who is now using that information as part of a suit against the county (long story, he thinks we intentionally have bad radio coverage).
Management didn't give a shit about that. The insurance folks shook thier heads in disgust but then they've seen it all with our county so nothing shocks them anymore. When that documentation made it to the internet it still didn't phase anyone.
Privacy? You want privacy? Around here they either think you're being a prima donna or you're up to something. There can't actually be a need for privacy.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Yes, thats a good start.
Furthermore how is this any different then most other people in the company.
Does the original poster think a engineer sitting in a cubical designing a Death Ray with drawings and such about is in any less of a bad situation.
Honestly IT people would be one of the first people to get cubed in most places. They are much less likely to be seeing important stuff, or having important/need to know phone calls and so forth.
I've never seen an office that isn't completely open plan. I work on sensitive government projects (RESTRICTED in the Official Secrets Act sense) and my desk is accessible to anyone who gets in through the front doors. (2 of, plus building security and office reception, but still)
So the network admins have been moved out of their offices? Cry me a river, and welcome to the 21st century along with the rest of us.
It's official. Most of you are morons.
Most OS's have a screensaver feature that if you go afk for a user-defined time, the screensaver activates. It then can require you to type in your login password to unlock the screensaver. Only way around that is to reboot, which if you were logged into a network account, will just take you back to another login screen. Even if you're logged in locally, tampering would be obvious as you would no longer be logged in when you got back to your desk.
I work for the Department of Redundancy Department.
I'm a Computer Science major but my concentration is Information Assurance and Security.
There are a lot of bad ideas here from people who obviously think that they understand security. When it comes to security someone saying that something is possible should raise an eyebrow, and someone saying that something is impossible should be ignored.
Give me physical access to a computer of an IT staff member who has reasonable levels of access and I will be able to compromise the entire network; period.
If I have physical access to a computer it is mine, and short of physically stopping me there is nothing you can do to prevent me from having complete access to that computer.
Imagine this, if you will:
I have a motive to gain complete control over the network. Be it that I'm a disgruntled employee, looking to profit, or simply wanting to get some dirt on someone I don't like... for some reason I want to get complete control of the network.
Why would I sit down at the computer and work on it for long when there is a risk of being caught?
Instead I bring a bootable utility disk, an external hard drive, and boot up an environment that will let me create a bit-stream image of the entire disk and save it to my external drive.
It takes me about 30 to 120 seconds to set this up, maybe a few extra min if I need to reset the BIOS (but this is an IT staff workstation, I'm sure the lazy IT employee just has his workstation set to boot off the CD already...)
So I go away for an hour or two, come back, retrieve my external HD and there is no way to detect I ever accessed that disk.
Later, I perform an analysis of the disk image looking in file slack, ram slack, and deleted files... what do I find? Sensitive conversations, documents, encryption keys, and passwords: jackpot. That's right, I don't care if you save everything off on a network drive, if your workstation has a hard disk chances are that most of the information I need is hidden on it (especially true on Windows workstations and NTFS file systems).
Not only did I just get all the "keys" to your precious network, but I also got myself an exact copy of that computers configuration so I can replicate it if I need to, and I did it so fast that you won't even realize there is a problem.
How long did this take me? About 5 min of access to the computer, with some down time where I was away doing something else (gee, Mr. Janitor can do this can't he?) in between.
So you see, this idea of storing "sensitive" data only on the network is bunk. You created a $50,000 lock that I can pick with a 5 cent pen, congratulations, your CEO must be proud.
Any, and I stress this: Any computer terminal that is not physically secured should be a diskless workstation. People underestimate the value in thin client computing. From a security standpoint you should treat every hard disk that has ever been in a computer that has accessed sensitive information, even once, as a copy of that information. This includes documents viewed, passwords entered, etc. In other words: every hard disk in your organization.
I guess I'll mention it now for those of you who can't read between the lines: Do you ever throw out old hard drives? What information was on them? What information is still on them? Every time a computer hard disk comes into contact with IT, it should be whipped thoroughly with multiple passes of random data (to avoid data recovery though forensics techniques). I recommend at least the American DoD 5220-22.M Standard Wipe. There are Free Software tools available to do this, such as DBAN.
So are cubicles a bad idea for IT staff computers? I think the answer to that is obvious. The real question here is: Is the benefit to having workstations with hard disks worth the extra security concerns they present? If you deal in sensitive information, you want to be very sure that every computer with a hard disk is physically secure.
Yeah, and that's the overpriced ThinkGeek one. I've seen them cheaper than that $10, and even free at trade shows.
I think that most professional geeks need to come to grips with reality. If you're in IT, you probably think you're more important than you really are, while management probably thinks you're less important than you really are. This, obviously, adds up to a huge disparity, and causes plenty of conflict when these two distorted realities butt heads.
I'm sure some will look at this and say "no, really, I'm that important", but really, you're not. First, think about how many other people have exactly as much value as you do to the business. Unless you're in a very, very small shop, there's more than one person doing critical IT things in the first place. Then consider the people who produce whatever it is that your business does. It's popular in geek circles to complain that those people don't understand that they wouldn't be able to do their jobs without us geeks. Well, here's a news flash: you wouldn't have that job to do without them.
Next, try to remove that built-in Dilbert filter you've developed, and take a critical look at your immediate management. Now, your manager may be just as utterly useless as the stereotypes one would normally apply, but more often than not, that's an unfair stereotype. I know for certain that without my team lead or our group's manager, who both know how to work within the corporate political system to get things done, I would have been either downsized because upper management had no idea whether I was of any use, or I would have been fired for pissing off enough people.
You should also consider what those other departments really do (outside of the automatic reaction you probably have to that question, which is almost certainly along the lines of "annoy me" or "piss me off"). Sure, without the network guys, lots of things wouldn't get done; what wouldn't get done without this other department? "Service Department" is sufficiently generic that I have no idea what they do, but contrary to the common jokes about it, businesses aren't usually in the habit of hiring people to do nothing. Or take the Sales department, which is one of the bigger targets of IT vitriol. The individuals may often deserve it, or they may not (I've known some incredibly slimy sales guys in my life), but either way: the business needs customers. Without the IT guys, the sales guys would lack email, IM, and possibly even the productivity tools they use daily, but without the sales guys, nobody would be paying the IT guys' salaries.
For reference, I've only ever worked in one place where the IT staff got offices instead of cubicles, and that's mainly because there weren't any cubicles anywhere in our small office space. Not to mention the fact that it was about a 25-person ISP, and our customer base was primarily in a few counties. Oh, and they've since been gobbled up by a much larger competitor, had their employees laid off, and moved operations to another state.
I think, ultimately, that the submitter (and the GP) need a reality check. Despite what years in IT have led you to believe, you're not the most important preson in the organization and you're never going to be viewed as such. Millions of people get their jobs done just fine within cubicles. And for the GP: if you have a server in your cube or office, you're just asking for it anyway.
I understand your frustration, but yellow stickers with root passwords attached to your monitor must go.
> But for that I'd say if you don't have janitorial staff you can
:-)
>trust at least that much, you need to find new janitors.
I always thought that a janitorial company would make the perfect cover for an industrial espionage outfit. The janitors have nearly complete acccess to all sorts of high-tech offices, with no one to monitor them. (I don't worry about startups and game shops - their coders are in the office all night anyways
How many designers/developers/etc. remember to wipe the whiteboards every day? Or clean off their desks and lock down their systems? How many product designs/customers lists/launch dates/etc. have been leaked out and sold to competitors? And the victim totally in the dark about the source of the leak?
If properly managed, the information brokerage could bring in lots more money than the legitimate janitorial side of the business, with practically no risk to the principals.
And I'm not even considering the possibility of outright theft - either by the real low-paid janitors, or imposters.
Out of the last 10 or so software companies I've worked for, only one paid any attention to the cleaning staff. We had the cleaning company assign specific people to the developers floors, and had their photos posted in a common area. This made it a bit harder for
a phony to claim they were part of the cleaning staff.
I am a locksmith. I work with file cabinets and cube drawers all the time. Those locks you link to are specifically for one particular brand of medium-security, fire-rated, burglary-safe type file cabinets, not cubicle furniture. The crap-ass locks on cubicle drawers and cabinets, even the more expensive Steelcase stuff, simply cannot be improved. They're cheap chinese junk of one-off designs that don't lend themselves to retrofitting anything decent. Furthermore, a better lock doesn't do squat for security when your drawers and cabinets are made of cheap sheetmetal and particle board. If someone were stupid enough to install (say) an expensive MAS Hamilton electronic safe lock on a standard steelcase desk drawer, I would almost pay money for the chance to show him how his costly upgrade could be bypassed with a flat blade screwdriver.
Cube furniture isn't secure. Expensive locks ain't the answer.
If a job's not worth doing, it's not worth doing right.
2if your job involves any codeing then your productivity will go way down hill in an open plan type space ... (far to much noise)
... I had a similar battle early this year some of the above helped.
As has already been discussed your physical security is now wide open, walk off with that HD that has the boss's info backed up on it?
Software disks install No's stuff that your company now pays thousands for are much more accessible to the light fingered.
Good luck with hanging on to your office
I have told the big-wigs, in meetings now, that we will be losing our physical security.
You could always estimate how much it would cost to compensate for the lack of physical security. Make it cost twice as much as keeping the room. If they still balk, advise them in writing of the consequences and demand a signature. Keep this offsite.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I haven't had an office in 10 years! Not since getting a high paying job for one of the Fortune 100. Nothing but cubicles for as far as the eye can see! Office space is reserved on the outer perimeter where the windows are. Anyone with an office is a manager of at least 100 people. If they have a corner office then they have those managers reporting to them and they are ultimately responsible for several hundred employees. Were it not for the skylights there would be no sunlight in the cubical farm. The good thing is conference rooms are on the outer wall as well so you can kinda stare out the window during boring meetings.
IT people are in cubicles and have been for at least 20 years. The servers are locked up in secured environmentally controlled data centers. You wouldn't want to work there, it sucks typing when your hands are freezing. The noise of the cooling fans and air conditioning is pretty darn loud too.
Due to Sarbanes/Oxley the customer data is secured to such a ridiculous degree that the IT staff doesn't have access to production data anymore! Yeah, that's right, the IT staff cannot see production data! When there is a problem we have to request a special temporary user name that expires in like 8 eight hours. That id is issued to you and the password is reset. You then use that account to examine the production system. Everything that account sees or does is logged extensively. When you are done, you give the account back and it's reset. If you forget, it will expire soon enough. Those with access to issue the accounts and reset them are at the highest levels of security and are located in our mainframe operations center where they are under constant surveillance including by closed circuit digital cameras. These guys have to go through several card access points to reach the data center. They are not even in cubicles but what looks like a college lecture hall of desks on stepped risers with projection screens on the main wall. Looks like a NASA control center. This helps a lot in major outages to have all the experts in the same room.
The call center staff obviously has access to production client data because they need to. But that doesn't mean they aren't being watched all the time. Every read is logged and if it's found that they should not be reading that customers data at that time, they will be caught. Random audits are performed constantly. We have a special investigations team which is constantly on the lookout for potential fraudsters, etc.
Security performs periodic physical security audits. i.e. going around looking for people who keep their ID/Passwords under their keyboards or on post-it notes; leaving their desks unlocked, leaving confidential information out in the open, etc. This happens at night after most people go home.
Cell phones with cameras and USB devices are forbidden in some places. The call center computers USB ports have been filled with an insulating epoxy from a hot glue gun. Of course that doesn't stop someone from writing down notes and sticking it in their pants. I mean if Sandy Berger can enter the national archives and stuff top secret documents down his pants and walk right out then so can a call center employee who makes less then $15 / hour. What the hot glue in the USB / Firewire slot does is stop someone from moving gigabytes of data out the door in one move. There are also no CD/DVD burners in the call center for the same reason.
Arguing security isn't a good thing, it will just lead to a security crackdown that isn't going to stop someone whose diligent and determined. It will just inconvenience you further... Take a look at those 4 Chinese Spies they just caught in California! They worked for defense contractors and gave away military secrets to the Chinese. I mean if we can't stop our military secrets from walking how can we stop everyday business data theft and industrial or corporate espionage?
The best argument I've heard for real offices is that they should be allocated to people who need privacy OR quiet to do their work. With all due respect to secretaries, the last thing you need is a secretary playing some music that drives you insane when you're trying to work out the deep implications of some program code or security issue.
Oh, and the corollary I meant to include in that is that offices should not be allocated for the purposes of prestige. If highly paid employees get an office for the sake of their vanity, when they're actually not even in the building much, and when they are, they're talking to people in plain sight, while IT guys who need to think are dealing with cleaners vacuuming around them, then I think that says something about the kind of company you're working for.
In terms of the productivity argument, that holds a little more water. It still depends on the maturity level of the person in question, though. Give some hot-shot kid with zero professional experience an office with a door, and watch his productivity soar. Provided you count the number of slashdot posts, and hours spent on Myspace as productivity. In the case of a mature person, an office would probably increase their level of productivity. But if they are that mature, they probably have the ability to sack up, and get their job done in the face of such arduous conditions as being forced to sit in a cubicle.
Someone mentioned that the cost of cubicles is actually not much (or at all) less than that of giving people their own office. I find that pretty suspect, but we'll assume that to be true for the moment. Can someone clear up how this doesn't simply take up more floor space that may not even be available? Is floor space being taken into account in the cost analysis? I would think that if you have to construct a whole new building for every 30 people you hire, you're probably going to save a couple of bucks in just building up a cube city.
I agree that there is probably a degree of management elitism in most cases, that keeps the peons in their cubes, and the Directors in their offices, but oh well. Suck it up, and get your job done, or go find a new one. Apparently you weren't so distracted by your co-workers that you couldn't post an inane story on Slashdot.
This is my sig. There are many like it, but this one is mine...