Has Corporate Info Security Gotten Out of Hand?

KoshClassic asks: "What is the right balance between security and productivity, in the corporate IT environment? Looking back at my company, 10 years ago, our machines were connected directly to the Internet, no proxy, no firewall, no antivirus software. Today, my company's proxy server blocks access to: 'bad' web sites (such as Google Groups; our 'antivirus' software prevents our machines (even machines that host production applications) from carrying out legitimate functions, such as the sending of email via SMTP; and individual employees are forced to apply security patches with little or no notice, under threat of their machines loosing network access, if they do not comply by the deadline. On one hand, you can never be too secure, however on the other hand, have we become so secure that we're stifling our own ability to get things done? What is the situation like at other companies?"

Management?

[Tadrith]

The only real problem is overzealous proxy servers, which can be tough to configure, but should have a whitelist of some sort... the rest of the problems mentioned are problems that have solutions. There are plenty of corporate-level antivirus solutions that will allow the control of virus scanning policies so that you could enable the sending of e-mail through SMTP. If it's corporate policy not to allow it, then it really isn't a computer problem, but a company policy problem. There are also plenty of options for keeping up on patches that would relieve the users of this responsibility. Even in the case of Windows, Microsoft distributes a free "private" version of Windows Update, called Windows Server Update Services that can be deployed on a network. This version allows you to choose when and how which patches are distributed; all you have to do is point your computers to the server. Assuming you are running a Windows network, the settings for the Windows Update can be deployed via Group Policy without ever having to visit a workstation. Workstations can be scheduled to update themselves without taking control away from the IT department in regards to which patches they want installed.

Most of that was assuming you are running a Windows-based network. I am not as familiar with Linux software, but I know that similar services are available for Linux as well. In my experience managing network environments, most of this has never been a major problem. It seems to me that the network environment doesn't suffer from too much security, but that the existing security needs to be better managed so that it doesn't prove detrimental to the productivity of the employees.

Re:Management?

I agree that some level of security is needed to prevent threats from both inside and outside the company. However, the goals of IT and security organizations often don't seem to align with the main goal of all companies -- to make money. At the company I work for, most departments are focused on improving efficiency, improving product quality, and keeping our customers happy. All things that are necessary for a business to be successful. However, the IT organization seems to be focused only on taking every precaution to keep the network running smoothly without regard to the impact on the rest of the business. When one of IT's policies conflicts with a legitimate business need, there's nothing I can do about it. There's nothing my manager can do about it. There's nothing his manager can do about it. There's nothing the director of engineering can do about it. The only thing the VP above him can do about it is try to work out an agreement with the VP in charge of the IT management chain or complain to the CEO. So basically, when IT's policies screw us, we just have to bend over and take it. Here are a few recent examples:

1) A bug in one of our products affects an important customer. Engineering works feverishly to release updated firmware to fix the problem. As soon as the fix is validated, we e-mail it to the customer, but they never get the attachment. Why? IT decided to block attachments for unknown file types. The director of my division calls IT and compains. The response: "Sorry, that's our new policy." Our solution: I fly to Germany to hand deliver the updated firmware on a CD. Cost to the company: about $4000 in travel, 2 days of my time, and a customer who thinks we're crazy.

2) We are completing the timing analysis for a new ASIC. The simulations take about a week to complete, and if they are interrupted we have to start over. The only problem is that every time we start the tests, IT deploys a new security patch and forces a reboot of the PC before the testing can complete. This happens repeatedly and results in a 2 month delay in getting the chips made. We make up some of that lost time, but the project still slips by more than a month. As a result, we were contractually obligated to refund $200,000 of the NRE we got for doing the work since we missed our dates.

3) We use ClearCase for source code control. Everyone in the company with a unix account had access to the source code and could check in and check out files. Our IT department decided this was a security risk -- reasonable, I suppose. To correct the problem, without notice they disabled access for everyone. They then sent out an email saying that anyone who needed access had to fill out a form, get it signed by a manager, and fax it to their department. They were so bombarded with these requests that it took about 3 weeks to process them all and get everyone's access restored. It took them about 2 weeks to get to mine. During that time, my company paid me a fat salary to sit at my desk and learn how to work a rubik's cube. I can now work a rubik's cube in about 90 seconds, but this is of questionable value to my company.

4) To increase password security, our IT department implemented a new password policy. All passwords must be at least 8 characters long, contain at least one uppercase character, one lowercase character, and one number or symbol. All passwords must be changed every 30 days. When changing your password, you can't use any of the last 10 passwords you have used. Every system that requires a login must use a different password (I have a windows login, a unix login, a SAP login, and a login for an internal bug tracking tool). Ironically, all of these systems use LDAP authentication which was implemented about 2 years ago so that we could use the SAME password for all our accounts. If you enter the wrong password 5 times, your account gets locked out and you have to issue a ticket to the help desk to get your account restored. This usually takes about a day. The result of

Fair security poorly adminstered

[ayelvington]

I work in a .mil environment with managed images and very good security. What I'm reading is that your company is still in the learning phase when it comes to customer service balanced with security.

We operate under a standard image architecture with updates and patches pushed out across the enterprise. Proxy servers are a necessary evil, but we are very reasonable on our block lists. (North Korean sites are discouraged along with Ebay...) This is for our unclassified network...

We learned the hard way too. Our first generation of machines were issued with padlocks on the cases and no CDROM drives...

Our IT system never compromises operations for security, and it never has to. Your IT staff may need a bit of fresh air, a few customer-centered workshops, and maybe some field trips to see how others work.

I feel your pain and wish you the best.

ay