Two recent events involving my children may hold some relevance for those of you who toil to protect users and corporate data from the dangers of the outside world. Not that I'm suggesting that your users are children per se. But mine are.
Like many of you, I treat my home environment like a miniature version of the larger, more managed environments we typically see at work. I have a domain and a Windows 7 workgroup, portable and desktop computers, mobile devices, connected entertainment devices, printers, and users—in this case my wife and kids. I'm the overlord of this environment, and I like to set things up to require a minimum of hands-on attention.
I have two stories to tell. One speaks to the positive effects of empowering and trusting users. The other speaks to the dangers of the consumerization of IT and of putting too much trust in common sense. Is there a single lesson to be learned here? Perhaps. But if you can learn from my mistakes at the very least, please do so.
On the more positive note, I've always felt that securing Windows was a far simpler task than many make it to be. For years, I've argued that Microsoft should simply include antivirus/anti-malware in Windows, closing off the only major functional security hole in the product. Instead, Microsoft has evolved its basic security offering, now called Microsoft Security Essentials (MSE), into a free product for individuals. And it has created a number of useful (but not free) security products for businesses of various sizes. The latest of these, Windows InTune, is a managed cloud service that is currently in beta and due for final release in early 2011. I'm using it to manage many of the PCs in my home environment right now. It's my kind of management solution, with a set-it-and-forget-it, hands-off vibe. It just works.
The client security components in InTune are based on MSE, which one could argue is pretty much the minimum when it comes to protecting a Windows-based PC. And yet, it's been enough. My kids' computers, still on MSE, and the other PCs in the house, based on InTune, have never succumbed to an electronic threat of any kind. In fact, I just performed a regular check of my kids' PCs late last week. For two kids that spend a lot of time watching videos on YouTube, playing Flash-based games online, and chatting with friends on Facebook, their PCs are notably devoid of issues. They were perfectly clean, as they've always been.
This is amusing to me because my kids are 8 and 12 years old. You may have heard about the ZD blogger who, in late April, announced he was compromised via Facebook and forever banishing Windows to a virtual machine. He said he would run Linux as his primary OS going forward because Windows was no longer safe "due to the constant threat of malware."
I'm not saying that Windows isn't under constant attack. Of course it is, because it's the primary computing platform on the planet, with usage share being more than 93 percent. But if my kids can use the Internet every day, successfully and safely, I'm curious to know why this guy can't. And while I've often said that basic security controls plus an iota of common sense should be enough for most people, my kids have no common sense at all. And their PCs, again, are completely clean and have been for the past year.
I was pretty proud of my kids on Friday. Unfortunately, they are kids. So it only took another 48 hours for me to realize that my pride was misplaced. Checking my email on Sunday—like many of you, my schedule has no understanding of weekends or pseudo-holidays like Father's Day—I was surprised to see a number of emails from Apple's iTunes Store. Uh-oh.
The first one was for $159.36. Then one for $180.57. Two more for $159.36. Then one for $172.08. And another for $53.11. All told, more than $880 had been charged to my debit card, so the money had been removed directly from our checking account.
Looking over the charges, I discovered that they were all due to in-app purchases from some iPhone/iPod touch game I had never heard of. My kids, upstairs tapping away on an iPod touch, had somehow managed to rack up these charges "buying" in-game trinkets that they assumed were free, using pretend money. (The game itself was free.)
Long story short, Apple amazingly reversed all the charges after a frantic phone call. (In fact, they were notably gracious about this.) My kids were given the Fear Of God speech. And the iPod was locked down using some built-in Restrictions controls I had never really paid much attention to before. Yes, the barn door was finally closed.
What this second episode triggered in me was a reevaluation of the recent trend in the consumerization of IT. This is a big deal these days. It's something that Windows IT Pro readers have seen and something that Microsoft has seen as well. In the past, IT was able to restrict the entry of consumer devices and technologies into the workplace. But with consumer technologies racing so quickly ahead, workers are now expecting access to the same technologies and capabilities at work that they have at home. And increasingly, IT departments are simply caving, either due to cost concerns or because they're simply overworked.
The most obvious (and personally painful) example of this is the iPhone. A few years back when Apple first introduced the iPhone, CEOs and other executives started demanding that they be able to use it, even though it wasn't manageable in any meaningful way (unlike smartphones running traditional software such as Research in Motion's BlackBerry and Windows Mobile). And as iPhone usage grew, more and more users began demanding the devices as well. (To be fair to Apple, the iPhone has steadily improved its IT readiness. This is just an example.)
Today, many companies simply allow users to use whatever smartphone they prefer, and many companies are "saving money" by letting them use their own phones. Often there are only minimum requirements (e.g., being able to access the corporate Exchange account) that have little, if anything, to do with security. This trend might ultimately prove disastrous. The corporate version of $880 in MasterCard charges is the employee who, unknowingly or not, plugs in an unprotected USB device, copies corporate data onto it, then goes out into the world and loses the device or hands it over to a nefarious party. I can't afford to lose $880, and I'm guessing your business can't afford a similar type of loss either.
Is there a lesson to be learned from this? Maybe so. When it comes to protecting corporate resources, the minimum is often enough. But our understanding of what that minimum is needs to be adjusted. Given the proper level of security, users should be able to function, get their jobs done, and feel empowered. But some level of constraint is still required. Finding that balance is the goal. And it's one that I'm still struggling with as well.