Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

Management?

[Tadrith]

The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.

Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Re:Management?

[bhmit1]

If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem.

Being a consultant, I've seen a wide variety of security policies from my various clients. I've had countless clients that have strict restrictions on where you can get over the network out of concern that you may transmit confidential data, but then let you walk in and out the door with a laptop as you please. That same client provided vpn access for remote support, but blocked ssh over the vpn because that would allow an ftp like (scp) access while leaving telnet open. I've been to places that refused to give me internet access even though it was the prefered way to receive support for their application and the only way to search the knowledge base. I've started on a project with a team of people, and more desktops (not even counting our own laptops) than network jacks. After waiting several weeks for a couple new jacks to be installed with three of us sharing one PC, I gave up and got a cheap network hub (this was several years ago) but was told that it wasn't allowed because they couldn't be sure it hasn't been compromised. I've been places where they wouldn't give me a badge to get in the door and no one was assigned to the front desk, so the unlucky guy sitting by the side door got used to hearing the banging and letting anyone in without any idea of who they were.

Of course, for every bad client, there's one that lets me remotely connect to my home network, makes sure I have a badge with access to everywhere I need to be, and promptly makes a backup and changes the root password before providing me full access to the server that I need to configure. It's all a question of cost of security breach vs cost of security enforcement.

To me, none of these things are worth being upset about. Yes, they are annoying, but it's the clients decision to make things more difficult, and therefore, more expensive. I simply do the best I can with the resources available. Of course it would be nice if the policies considered the threat instead of only the past exploits. Then they would realize that someone trying to carrying a stack of files out the door is no worse than the guy that walked by with the flash drive in his pocket.

Re:Management?

I agree that some level of security is needed to prevent threats from both inside and outside the company. However, the goals of IT and security organizations often don't seem to align with the main goal of all companies -- to make money. At the company I work for, most departments are focused on improving efficiency, improving product quality, and keeping our customers happy. All things that are necessary for a business to be successful. However, the IT organization seems to be focused only on taking every precaution to keep the network running smoothly without regard to the impact on the rest of the business. When one of IT's policies conflicts with a legitimate business need, there's nothing I can do about it. There's nothing my manager can do about it. There's nothing his manager can do about it. There's nothing the director of engineering can do about it. The only thing the VP above him can do about it is try to work out an agreement with the VP in charge of the IT management chain or complain to the CEO. So basically, when IT's policies screw us, we just have to bend over and take it. Here are a few recent examples:

1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.

2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.

3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.

4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of

one time, for security's sake

[yagu]

One time for security's sake my office ethernet port was turned off by IT. Figuring it to be some outage I called support (hah!), and they looked up my IP address and said yes the port had been turned off because my machine had refused to accept recent XP updates.

Hmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port. I asked why I hadn't been notified -- they said ALL XP login scripts had been posting the notice for over a week, I had been given "plenty" of warning!

Hmmmm, but my machine is a linux machine! We're sorry, but until you're machine accepts the updates we can't re-enable the port.

Fortunately I had a dual-boot, so I was able to comply.

But, ironic that one of their (in my opinion) least vulnerable machines on the network was mine.

(And, for the record, my assigned work had no specific XP requirement, and my responsibilities were heavily around Unix... so I wasn't in violation of any policy (such as they existed).)

Speak for yourself...

[MicroBerto]

What "we"?? The company I work at does none of those things, and the network runs almost perfectly. There is a balance.

But also realize how much the worms of 2003 and 2004 cost corporations. I saw it first hand when working in a plant, and it was seriously disastrous. I can understand why they don't want that to happen again.

If surfing "bad" sites is THAT important to you, perhaps its time to get your resume out to a company that trusts its employees more. Or quit complaining to a bunch of slashdotters and present a true solution that benefits everyone. There are ways to have both security and usability.

Your complaints are unconvincing.

[Saint+Aardvark]

• Your company's proxy policy is a matter of policy at your company -- complain to them about it! If it's preventing you from getting work done, you should have no problem convincing them -- and if you do, light a fire under your manager; that's what managers are there for.
• "the sending of email via SMTP" -- Maybe I'm misinterpreting this, but if you mean "our desktops and servers have to pass email to the designated relay", then I'm completely unsympathetic. If your complaint is about poor performance, complain about that -- but your desktop and your production machines are not mail servers!
• "forced to apply security patches with little or no notice" -- I can guaran-fucking-tee you that each time that happens there is a wave of complaints to your IT department. And yet they keep doing it anyway. They're either heartless, bastard pyschopaths with no concept of sympathy, or it's important to apply these patches. Human nature being what it is, I'm willing to bet they think it's important...no one lets themselves in for a shitstorm voluntarily just 'cos it's, you know, second Tuesday of the month.

And, why, yes I am a network administrator, thanks. I'm lucky so far -- it's a small company, people are well-behaved, and I don't have to implement the policies you describe. I set up times for patches, there's no proxy yet and not too many firewall restrictions.

But if this place gets to be big enough that I can't count on collective intelligence and/or social pressure to keep people doing the right thing, I'm going to have to seriously consider policies just like the ones you describe, in order to keep things running as they need to -- because your complaints about the network not working 'cos of the latest virus outbreak are going to be a fuck of a lot louder than your complaints about your desktop machine not being allowed to be a mail server.

Fair security poorly adminstered

[ayelvington]

I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.

We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...

We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...

Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.

I feel your pain and wish you the best.

ay

The right balance is...

[canuck57]

What is the right balance between security and productivity, in the corporate IT environment?

Simple, more security. As more secure systems tend to run more reliably (less bugs) and with lower maintenance (removing root kits)than do less secure systems. Knowing most corporate environments, security tends to be lax.

Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software.

Yes, it was better more than ten years ago. If your computer was connected to the internet and caused someone problems you got kicked off for a week or two to think about it. Some were even blacklisted. And few if any ran Microsoft products as their gateways or terminals.

But the fact is with many hundreds of millions of Internet users today practicing self administration of an inherently insecure OS and trusting everything they click on -- without regard to others or their companies costs, security has had to evolve. And believe it or not, firewalls existed 10 years ago.

Then along comes the modern cowboy on an unmonitored cable connection hacking people for sport and profit. People hack computers just to send spam, and the system/ISP do nothing. They have long since abandoned kicking them off. The result is the problem is mow rampant.

have we become so secure that we're stifling our own ability to get things done?

Not at all, I have always kept important stuff on UNIX and Linux, and professionally manage them like I do at work. They haven't been hacked or wormed. I also tend to use "safe" tools as they also fail less as well are more secure.

But the optimum answer to be secure is to use securable tools and secure practices in what you do with your computer, something like safe sex.

Porn liability

[typical]

Being a corporate IT security at large corporation I can tell you why google groups are blocked. If I am looking at porn on alt.binaries.erotica and a female co-worker walks up behind me she could sue for sexual harassment and say the company did not take adequate measures to prevent this situation.

My understanding is the hoopola about "if you don't block pornography, you're liable" is nonsense that's heavily propogated by vendors of filtering software. The case that claims about liability are based on is the '91 ruling in Robinson v. Jacksonville Shipyards, Inc. Here, the plaintiff was being directly targeted and porn was being publically pervasively placed throughout the workplace. That's a *far* cry from someone walking in and seeing a pornographic image on someone's computer monitor. That's even *further* away from a company being liable because they actually aren't buying a product to do filtering.

My impression is that most of the people that install these packages get sold a bill of goods by the filtering people "Lawsuits! Lawsuits!" The IT people pass the possibility of a lawsuit on up, some higher-up decides that the software is cheap insurance against a lawsuit, and buys it.

Frankly, companies don't need to worry about liability from not filtering porn (IANAL and all that). They might need to worry about employees being off-task (I mean, come on -- if you're browsing porn, you are *not* doing work). However, I've been incredibly frusterated by stuff in the past (like pages containing "wine" in the URL being blocked -- when I'm trying to look up constants in WINE's header files), with information about HTTP tunneling that I needed for writing some software that had to interoperate with a firewall being blocked (as "criminal activity", impressively enough, along with anything involving a "proxy"), and so forth. Companies aren't avoiding liability at all -- they're trying to control employees, and keep them from goofing off at work. I'm not saying that there's necessarily anything wrong with that that, but it's just not really a liability issue. I've seen people blow time chatting with their friends on non-work related stuff on AIM, and I can understand that there's a desire to not let the computer be an entertainment device.

However, I've got a much better solution. Have software that skims browsing history, flags anything suspicious, and allows an employee's boss to take a gander at it (if he really wants to). Oh, and *tell* the employee that you plan to do this -- the idea is to prevent abuse. I don't have a problem with my boss seeing a complete log of my at-work browsing history -- I do have a real problem with IT blocking things. I don't abuse my work connection, and it's really irritating to be treated as if I have because someone somewhere *has* done so.

Basically, I think that it's probably unreasonable to prevent the following types of Internet usage in a regular work environment, at least from a security/liability standpoint:

* Outbound TCP connections, other than maybe to port 25. The whole world is not HTTP.

* Requests to DNS servers other than the company one (why on *earth* do people do this?)

* Outbound SSH connections (a special case of the above that's particularly annoying -- sometimes I need to get at my addressbook or something else on my home computer). (There is a small potential security issue here in that someone could set up X11 port forwarding, and have a compromised outside box keylog or screenshot their workstation machine desktop) but goddamn it, the risk is awfully small and the loss of functionality enormous. This is not James Bond, and armies of ninja hackers are not out trying to take screenshots of desktops.

* Access to webpages. Good *God*. If you have to log them, fine, but for Chrissake, do not filter. It's *so* irritating.

Real security risks? Worms, dubious software that people intentionally install, people simply taking confidential (*actually* confidentially, not doc

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:They were wrong and you're lazy!

[Malor]

It's absolutely trivial to admin one more standard Windows or Linux box remotely.

It is NOT trivial to try to remotely deal with a dual-boot environment.

His list of reasons were very solid, backed by experience. Your 'rebuttal' is crap. Twice the machines is HALF the cost... because MOST of the cost of a machine is maintenance. Unless the machines are just appallingly expensive, most secondary computers would pay for themselves by about the fifth manual patch visit. All the user has to do is leave both computers on all the time. Every place I've ever worked has left ALL machines on all the time.

VMWare images are easy to deal with. They look just like the other machines on the network, although perhaps not always running. You don't have to do anything special to support them; they just work. You can think of them like laptops. It's a total non-issue.

If you supervise IT employees, I feel very bad for them. If any of those theoretical employees are reading this: get the hell out. There are sane bosses in the world.