A recent survey assembled by RSA and IDG on the “hyper-extended enterprise” highlighted the challenges enterprises face as they move at light speed into the new applications landscape and two points stuck out. The first point was that enterprises need to rework their acceptable use policies and the second is that users need to be educated on that policy. This got me to thinking (dangerous, I know) that applications are like dogs. Here is how I came to this analogy.
I like dogs. Preferably big, active, smart dogs. So it stands to reason that I would like the American Staffordshire Terrier, a recognized member of the Terrier Group according to the American Kennel Club (AKC). Never heard of this breed? Maybe you’ve heard of a Pit Bull – a breed that can strike fear into many people because of the highly visible nature of their attacks. Ask any dog trainer or avid dog lover and they will tell you that there are no bad dogs – merely bad dog owners. Bad dog owners who mistreat the dogs, train them to fit, follow improper breeding practices and so on. Sure, this is open to debate and this is not the forum for such a debate.
Let’s look at a couple of examples of how applications are like dogs.
P2P: The underlying technology was developed back in the early days of networking as a means of moving large files by harnessing unused computing resources. The premise still works today in commercially available applications like BitTorrent, Gnutella and many others. Everyone know that the rap against P2P that they are used to illegally share files. Worse yet, many of the largest data breaches were the result of improperly configured P2P applications. Yet properly configured and used by say, IT, P2P is a very powerful tool. See the relationship here? Employee records do not naturally migrate to a P2P network. MarineOne blueprints are not stored on a P2P network. Users are the ones who are sharing the files. Users are the ones who failed to properly configure the application.
TOR (The Onion Router): Developed by the US military to encrypt spy and covert operation communications and is now in the public domain. Not only is the message encrypted, it uses other TOR nodes to send the data, finally being assembled by the intended recipient. The advantage here is that no one node has all the data so intercepting it is of little use. In an oppressive regime, TOR is an invaluable tool and it is recommended by several human rights organizations as a tool to communication with the outside world. In the hands of an employee or student, TOR is a black hole that acts as an avenue for threats (inbound) and data leakage (outbound). Again, the application is not acting on its own. It is acting on the commands of the user.
Ok, P2P and TOR may be extreme cases (and easy pickings). Let’s see how social networking applications like FaceBook and MySpace hold up to the analogy. Both applications are designed to keep friends, colleagues and family updated on what’s happening. An admirable goal to be sure. Yet social networking has been invaded by malware writers who prey on users who do not think before they click. Case in point, a friend received a FaceBook update from someone they thought was a friend – the update had a URL in it. So you guessed it, they clicked it. Bad user! The PC is infected with malware.
I challenge you to take any application and put it to this test. My guess is that more often than not, you will come to the same conclusion. There are several points to my ramblings.
Applications are not threats. The threats are from what the users do with them and the content that is transferred. If enterprises treat applications as threats, several things may occur:
1) The CEO may be the one using the application which may result in a quick termination.
2) The application in use may be benefiting the bottom line, so why stop it.
3) Today’s employees expect to be able to use many of these types of applications, so blocking them may reduce the ability to attract new employees. (No bad dogs, remember).
IT must become business enablers. The application landscape is moving more rapidly than ever before and it is an understandable challenge for IT to keep up. But somehow they need to determine what applications are on their network and then analyze the risk and weigh it with the business benefit. If the trade-offs are positive, then the use should be documented as part of the appropriate application usage policy. (IT needs to train the users dog owners).
Educate users on the appropriate application usage policy. When we ask companies (IT guys) what their appropriate application usage policy is, they tend to laugh, or ask “what policy” or worse yet, say we do not have one. Many of our customers are using our solution to achieve the two previous points and in so do, make their application usage policy a living, breathing document that is reviewed on a regular basis, as users try new applications. Just like dogs will continually learn what the master allows and press for more, so to will users.
Thanks for putting up with me.