A sensible security policy for 2.0 times

by

At NTNU Library we have a relatively restrictive security policy for our computers: managed clients. These clients are managed to the extent that a typical user cannot even add a printer. Adding any software — with the exception of things that do not a) change the Windows registry at a deep level, or b) require that you change resources anywhere outside your profile — is not allowed. In the days of yore when we had IT people in the same building, this used to work, now all IT is outsourced. IT doesn’t ork (pardon the pun).

I’ve experienced a lot of security policies in my time (working for a small limited company, a massive European, and then American concern, and now the public sector), but one thing has typified relationships with IT services: us against them. IT is not interesting, it’s a set of tools. A hammer is only interesting in the case that it someone needs to hammer a nail in. In the same way, IT has no value beyond what the users need, any other conception is misguided.

The current security policy as is denies users the possibility of doing their job in the best possible way: Times are changing so fast that we cannot rely on when the IT services get around to creating an MSI image and rolling it out. Nor does everyone have exactly the same needs (isn’t it peculiar that the IT people should think this in the first place?), because they all do different jobs — yes, even the people who have the same position title.

The funny thing is that this security policy is no different from anywhere else I worked except the small limited company*. Why? It’s simple: Microsoft Windows. Microsoft Windows is an operating system for a personal computer, i.e. not a network computer. Windows wasn’t designed to be connected to the web — the big network — because it was invented before the web really took off. And this lack of network-savvy hampers IT services in doing their job: helping us do our job.

The reason is that IT security has become about stopping viruses (and to a lesser extent hackers) doing their job. One of the major problems facing IT is that the Microsoft Windows infrastructure is monolithic, there is no possibility of limiting damage to where the user is: if the rot gets in, it gets in. Now Vista does go some way to solving this by asking if you really want to do X because it may result in Y, but this doesn’t really cut the mustard — it is probably the most effective way of hindering unwanted software from doing its worst because a human is a better judge of what is an allowable action than a computer, but no-one can really be bothered doing that job. But we don’t use Vista, we use XP (and I suspect that our Vista will be equally locked down because the IT people don’t trust in Microsoft’s ability to patch the built in insecurities).

So the IT people are afraid, but what to do? Simple: drop Microsoft Windows and insist on a solid, network-savvy operating system (there are enough of them out there). Let the user have control of their user area, while the IT services control the core system. This is the typical policy on any UN*X-alike system, and it’s a successful one. The user does know best, and in the unlikely event that their home directory gets hosed, so be it: that’s why you were taking backups.

* They had no security policy, it was anarchy, but they weren’t running Windows, so it was OK (they dropped Windows after an Outlook virus spread itself to our entire customer base).

Tags:


%d bloggers like this: