Slashdot Mirror
Do You Allow Webmail Use on Your Network?
rtobyr asks: "I don't allow users at my organization to use any third party e-mail. When users complain, I point out that we can't control the security policies of outside systems. End users tend to think that big business will of course have good security; so I ran a test of the 'Big Four': Hotmail, Yahoo Mail, AOL/AIM Mail, and GMail. Yahoo Mail was the only webmail provider to allow delivery of a VBS script. GMail was the only provider to block a zipped VBS script. End users also tend to think that a big business would never pull security features out from under their customers. Of course, we know that AOL and Microsoft have both compromised the security of their customers. I don't know of any security related bad press for Yahoo or Google. Three of my Big Four either allow VBS attachments or have a poor security track records. So, if you are a network administrator, do you limit your users' ability to use third party e-mail, and if so, do you allow for GMail or other providers that you've deemed to have secure systems and reputations?"
Where do you work? I'd like to know so that I do not inadvertently apply for work at your company.
Then again, I'm sure you've addressed all of your company's really important network concerns first before moving on to this. Or, maybe you were sure to restrict all of the workstations such that no one can change their desktop wallpaper and things like that.
Which webmail system do I use while at work? I use my own squirrelmail installation. I bet you'd really hate that!
I've been part of the Google Beta testing for hosted e-mail (for my own domain) and also been part of the testing for the Google Apps for businesses. During that time, I've not had any issues with spam nor malware mail. Given Google's intent to host small businesses, I strongly suspect that they will pay close attention to security issues, esp. on their e-mail service. I've been pleasantly surprised as to how good their spam filtering works. My wife also has noticed that spam has pretty much gone away. You can access your e-mail both on the hosted site, and at least via a pop client, so you could possibly insert additional security on the pop client, but give folks access to a web version of the e-mail as well.
The big Net Admins in the sky tried to block web based e-mail from Comcast, Aol, G-mail, Hotmail, Yahoo, etc... then all the physicians freaked out and got pissed enough for them to change it back. Or at least that is the story I was told...
How much is your data worth? Back it up now.
What's their secret? They take care of preventing stupid users from downloading crap themselves, meaning they scan at their proxy and/or firewall boundaries (I'm not a network admin here so I don't know exactly how it works).
This has been the policy for at least five years and they've never had a single problem. Never.
If a large financial services company can do it, I don't know why everyone else can't either. So you're asking the wrong question - instead, ask "how can I provide a better service to my users by allowing them to access their webmail and also maintain my network security?"
I've worked at companies that either completely or selectively block webmail access. Nothing personal, but you and other network admins like you suck rocks as far as I'm concerned. Trusting or distrusting the webmail provider because they do X or Y is supremely stupid because you're basically bending over for them and waiting for the inevitable vulnerability to show up. What, are you going to go to your CTO and say "well, I didn't trust Microsoft and AOL, but I thought Yahoo was OK! It's not my fault!"?
You should know better and you should do better. If you can't, just block all webmail and stop complaining about what other companies do or fail to do. It's your network and your responsibility.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
...like it or not to help protect my users from themselves. In that spirit, as part of my security practices, I run heavy antivirus and antispyware on the firewalls in order to facilitate safer webmail usage by my users. Sure, I could (legitimately) mandate no web mail as policy or simply be a jerk and disallow it, but I *try* to see technology as an enabler. It's a better situation: users get home/private mail access and I get a reasonable-secure network. A bonus is that users see IT as helpful instead of "those jerks who won't let me at my Gmail account. This may not work for others for technical, political, or idealogical reasons, but it's pretty good for us...
Comment removed based on user account deletion
background: I've worked IT full/part time for about 10 years now (geez) from desktop to network admin to site managing
Statement: In my experience the number of network admins that have the ability to adequately and competently run a network that both allows computing freedom (in reference to how you are saying) and is secure is very small.
I'd also note that I've seen this setup work a lot better with Universities than with corporate environments. Mostly because, insofar as I can tell personally, the network/systems admins/engineers are more concerned with enabling safe but wide-ranging activities in the university environment, as opposed to the corporate environment, where anything not expressly allowed is forbidden.
Simply have a policy that states "email services outside of the control of this company are not to be used for business correspondence". Seems simple enough.
Except some people may NEED to do just that because of the stupid rules set up on the company mail servers.
For my work, I deal with a developer in another state and we have to exchange large files. From inside our network, I have way to ftp/ssh into his company servers to transfer the files. So, e-mailing is the only option. Our e-mail servers won't allow attachments that large.
So, we use gmail. It's not elegant, but we can easily send the files we need back and forth and actually get our work done.
Oh yes... our IT people are the same totalitarians you find everywhere (I used to be an admin, and back then, we actually tried to help our people do their jobs, not inhibit their work). So, they won't adjust the rules of our mail servers, or provide a way for me to connect to the other company's computers and transfer the files.
So there it is... IT's motto is "IT at the speed of business", but the reality is "business crawling at the bureaucratic speed of IT". It's like they believe that they are the revenue generating portion of the company and that the rest of the company exists to serve IT.
Sadly, that view is all too common.
This was a real problem early on with the Clean Air Act and Air Quality Monitoring regulations as well and still is depending on what state agencies you have to work with. Like, SOX, company officials must affirm that the data they submit is true and accurate and that they are in compliance when there is often significant disagreement over the meanings of terms, measurements, calibration practices, data collection, fraud prevention, and "compliance". Over time, standards for behavior develop and give companies some cover. From what I have seen, showing attempts to work with the regulatory agencies and seek clarification, whether successful or not, shows good faith, and beyond that, adhering to industry standards or seeking independent certification. Sometimes regulatory agency refusal to play nicely and provide guidance goes badly for them in court and forces them to change, but it takes time and persistence on the part of regulatees.
HIPAA seems to be similarly vague in many places and I would imagine fault will most likely be decided by a jury after-the-fact with "benefit" of hindsight.
It is an interesting process to watch but no fun to be a part of. What is distressing in the AQM industry from what I have seen/been told is the number of company officials who depend on contractors to work the process for them and sign on the bottom line without understanding the process or doing any checking themselves even when advised by the contractors that they are personally liable. Managers do not want to understand scientific process, regulations, or data security, they just want it "taken care of".
Tons and tons of missing the point here. The major concern about webmail is not that it's a vector through which computers can become infected with junk. The concern is mostly that it's a way for information to leak out of the company, and that there's no way to control whether it conforms to company security standards, policies, etc. A couple of posters did mention this, but seemed to approach it from the angle of "if someone wants to leak information, there are a hundred other ways to do it." These are obviously not IT security folks...those of us who deal with these issues on a daily basis know that the clueless users are just as dangerous, just by force of numbers, than any malicious ones. I am FAR more worried about confidential data being emailed to or from a Yahoo account because a user "likes it better than Outlook" or something than I am about deliberate theft. If we lock down webmail access, we are drastically reducing our risks from these sorts of incidents.
You are absolutely right about that view being too common.
/. so I think I'll go find some websites to block from my users!!!!!
I have extremely strict rules set up on my network. I am pretty sure that the only one that hasn't been broken (with my authorization) is the pr0n rule.
I constantly take shit from other admin's who pride themselves on being an ass about their rules, but I have found that the best way to get business done is for every rule to have an exception.
All webmail is banned, blocked, filtered, and otherwise prohibited on my network. However, there have been times when it was "necessary" and has been allowed. Times like family medical situations, when one of our employees mother in law was near death and the only information he was receiving was via webmail. I could have been a dick and said "sorry that's against company policy", but I pushed authorization through management channels and got him his webmail so he could focus on work, knowing that he wouldn't miss the important email about his family. This particular gentleman is now the General Manager of the office, and I am still just as mean to him as I am to everyone, with his full support, because he knows first hand that I am aware of when the exception should be invoked.
So, my response to the question at hand would be Yes, and No. Hope that helps clear things up for some of the young admins who are teetering on the decision of allowing exceptions, or not. You don't make the company money, you make it possible for the company to make MORE money in LESS time. Do your job and increase user efficiency, don't be an ass.
Speaking of efficiency, I feel refreshed after this brief visit to
011100110110100101100111
And would you recommend that somebody who is relatively new to the workforce look for another job?
Yep. If you begin your career under the misapprehension that your employer owns your soul, your heart, your mind, or anything other than the work you're being paid to do for them, it's very likely that your career will end the same way. Not something I want to look back at from my golden years.
Our company policy is this: company resources are to be used for business purposes only. Now having said that, everyone knows that people use it for personal things. Nobody has a problem with that so long as it doesn't interfere with performing your job and isn't considered offensive.
In our department, we try to balance security and convenience. We don't block webmail etc, however all the traffic is proxied and logged. Executable type code is not permitted to be downloaded. We keep all the clients up-to-date on patches, virus signatures etc. to help minimize the risks.
We also do try to educate our users a bit. We hold "mini-classes" where we cover a topic or two (people can make requests). We try to keep them short and have them early in the morning or after general work hours. They are completely optional and we get a good turn out (60% to 70% depending on the topic(s)). People learn a little bit that can help them either at work or at home. I do most of the work to organize this over a lunch or two, it costs the company so little, and it helps everyone. Hell, the executives attend most of them, partially because they support it and because they too learn a little.
This approach works very well for us.
But there it is, if it is work related email then it is not part of your private life. If it is not work related then you shouldn't be sending or receiving it while at work.