Will the user define security policies in the future?
I think, I blogged about this event already earlier: Years ago I was meeting a customer and was talking about the future of IT. I was telling the audience (about 10 people including the Security Officer) that there is a good chance that IT will not define a set of hardware anymore but that the user will buy their own and use it for business. Additionally, different people have different ...
Get off XP or Risk your Business?
One of the highest hit rates I ever had on my blog was one I wrote right before Conficker broke out. I called it Playing Russian Roulette with your Network. The background was, that we released an out of band security update and our customers came back and asked us, whether they really shall deploy it – this situation then led to Conficker.
About 12 months from today, Windows XP will ...
Security in 2013 – the way forward?
Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into the context of typical hygiene of any IT environment.
Let's try to understand, where we stand ...
The Directory in the Cloud?
It seems that it is an eternity ago – and it is. Pretty much three years ago, Doug Cavit and me published a paper called the Cloud Computing Security Considerations. Even though it is three years, the paper is still worth reading as the content still applies. What we basically said was, that if you look at the Cloud, there are five areas of Considerations:
Compliance and Risk Management: Organizations shifting ...
Blocking Social Media–What is Your View? By Roger Halbheer, on January 31st, 2011 If you are reading my blog posts regularly, you might have seen that I am not a big friend of blocking social media at the edge. When I talk with customers about why they are blocking it, I usually get these type of answers:
- People are spending too much time playing games on Facebook: This, to me, is a management problem and not a technology problem and should be addressed accordingly.
- We are afraid of malware: This makes sense to me. The question is, whether this is limited to social media or better, how much you can really reduce the risk of a malware attack by blocking social media
- We are afraid of information leakage: Interesting. Steve Ballmer was once asked, why Microsoft applies such an open policy when it comes to social media and whether he is not afraid of information leakage. His answer was, that he lets people talk to media and customers as well and that the risk is not much higher. Well, this is probably not true anymore but fairly often, when it comes to internal events, people are reminded that this information is not to be tweeted or blogged. It works well and where it does not, there might have to be administrative processes to be invoked.
A modern company today most probably has to use social media to position itself. So, we are kind of caught between two angels. I would really like to understand your view on this:
- Why do you think that blocking social media is good (or bad)?
- What are the risks you are trying to address?
- If you block, how big do you see the risk of users trying to get around your filtering mechanisms?
Let’s start a debate here, I want to learn from you
Roger
Leave a Reply
|
|
|
Blocking access on a company PC only prevents use on company ownned machines, many employees will now have this access via other methods (smartphones, own laptops etc) so it’s not really going to stop them. It’s like moving the smokers to their own shelter – you can’t stop them, just make it more difficult.
I think social networking and instant messaging is the key to building great networks both personally and professionally. If you can’t access your network then you are limited to the knowledge you have within your company, which might not be enough to succeed in future.
I like your view. Where you consider social media as a management problem not a security problem and should be handled as such. The barriers between our social life and work life are eroding as such people bring their social life to work (and check their work-email after work). If management treat social sites as a security risk, they can use their administrative control over the network to block the most popular sites. In my view that just cures the symptoms but does not address the underlying problem which will persist.
Blocking social sites (and newspapers) will lead to somewhat more work and less “goofing around”, but it will increase boredom, and more importantly from a security standpoint: It will teach users who really want to use facebook to go around the blocks, use proxy sites, create methods to evade detection and so on. Forcing users to enter their credentials into proxy sites might make them victims of man-in-the-middle attacks and so on.
I would also argue that as time goes by blocking sites will be more or less useless. Blocking sites now starts in schools, where the incentive to go around blocks is high, the punishment for evading blocks are small and any methods will to avoid blocks will spread like wildfire. So when these people enter the workforce they will evade blocks as easily as normal surfing.
So to finish: Instead of treating your employees as responsible people, management treat the problem but not the underlying problem. Management is therefore creating a “fight” against their employees, a “fight” they cannot win.
I like your opinion too and heard it the first time on the PREMIER ALPS in Munich last year. I was sceptic then but I changed my mind after your presentation.
We as IT face more and more the need to fix problems that resolve from poor management decisions and a lack of user policies and auditing these.
Also we in IT sometimes think it is our duty to evaluate the productivity of our users and tend to filter for example unwanted media files in e-mail and try to block certain “funny” sites to make them focus on working right?
Well it is not on IT to decide if a user is working efficiently or productive. It is his manager or group leader that needs to do so. Sooner or later it will come out if someone isn’t performing well and consequences will follow.
I agree that blocking social media sites doesn’t solve the problem. Dealing with them in the wrong way although can cause more damage for IT and for the company itself. Nowadays I am more the opinion that defining policies to deal with these kinds of media and letting the user sign these policies makes more sense. (Also in case something happens afterwards I made the experience that it helps much to have something written in hands. Especially when the people violating the policies are in higher management positions)
What we can efficiently do is limit the risks that come with being “social”. There is anyway no 100% protection and to be aware of the risks and have backup plans in place lets me sleep a little better. WHY? Well at least if people use our “known” channels to do their socializing online, we have more control as if they would do so by overcoming our security measurements right?
Everyone in IT knows for sure that certain users have other means to connect to their favorite social media and some will even investigate and find some ways around security to finally do and gain what they want during worktime.
In the end it all comes back to risk management and internal auditing I think.
Wow, I am a little bit proud
but it was a great event, especially the breakout afterwards!
)
I think I did not mention one important things, which is that a curent state of the art company wants to leverage social media as a communication channel…
Maybe we meet again at the next Alps event (if I am invited again
Roger