The delicate balance between IT security, supportability and usability

There is a delicate balance between IT security, supportability and usability. Just like the project management trilogy of fastest time, lowest cost and highest quality, you cannot have all three. Or can you?

Take, for example, a fictitious company with an IT-savvy user who has a business requirement to run non-standard software on his (company-supplied) notebook PC. This guy doesn’t expect support – at least not in the sense that the local IT guys will resolve technical problems with the non-standard build but he does need them to be able to do things like let his machine access the corporate network and join the domain. Why does he need that? Because without it, he has to authenticate individually for every single application. In return, he is happy to comply with company policies and to agree to run the corporate security applications (anti-virus, etc.). Everyone should be happy. Except it doesn’t work that way because the local IT guys are upset when they see something different. Something that doesn’t fit their view of the normal world – the way things should be.

I can understand that.

But our fictitious user’s problem goes a little further. In their quest to increase network security, the network administrators have done something in Cisco-land to implement port security. Moving between network segments (something you might expect to do with a laptop) needs some time for the network to catch up and allow the same MAC address to be used in a different part of the network. And then, not surprisingly, the virtual switch in the virtualisation product on this non-standard build doesn’t work when connected to the corporate LAN (it’s fine on other networks). What is left is a situation whereby anything outside the norm is effectively unsupportable.

Which leaves me thinking that the IT guys need to learn that IT is there to support the business (not the other way around).

Of course this fictitious company and IT-savvy user are real. I’ve just preserved their anonymity by not naming them here but discovering this (very real) situation has led me to believe that I don’t think company-standard notebook builds are the way to go. What we need is to think outside the box a little.

Three years ago, I blogged about using a virtual machine (VM) for my corporate applications and running this on a non-standard host OS. Technologies exist (e.g. VMware ACE) to ensure that VM can only be used in the way that it should be. It could be the other way around (i.e. to give developers a virtual machine with full admin rights and let them do their “stuff” on top of a secured base build) but in practice I’ve found it works better with the corporate applications in the VM and full control over the host. For example, I have a 64-bit Windows Server 2008 build in order to use technologies like Hyper-V (which I couldn’t do inside a virtual machine) but our corporate VPN solution requires a 32-bit Windows operating system and some of our applications only work with Internet Explorer 6 – this is easily accommodated using a virtual machine for access to those corporate applications that do not play well with my chosen client OS.

So why not take this a step further? Why do users need a company PC and a home PC? Up until now the justification has been twofold:

  • Security and supportability – clearly separating the work and personal IT elements allows each to be protected from the other for security purposes. But for many knowledge workers, life is not split so cleanly between work and play. I don’t have “work” and “home” any more. I don’t mean that my wife has kicked me out and I sleep under a desk in the office but that a large chunk of my working week is spent in my home office and that I often work at home in the evenings (less so at weekends). The 9 to 5 (or even 8 to 6) economy is no-more.
  • Ownership of an asset – “my” company-supplied notebook PC is not actually “mine”. It’s a company asset, provided for my use as long as I work for the company. When I leave, the asset, together with all associated data, is transferred back to the company.

But if work and home are no longer cleanly separated, why can’t we resolve the issue of ownership so that I can have a single PC for work and personal use?

Take a company car as an analogy – I don’t drive different cars for work and for home but I do have a car leased for me by the company (for which I am the registered keeper and that I am permitted to use privately). In the UK, many company car schemes are closing and employees are being given an allowance instead to buy or lease a personal vehicle that this then available for business use. There may be restrictions on the type of vehicle – for example, it may need to be a 4 or 5 door hatchback, saloon or estate car (hatchback, sedan or station-wagon for those of you who are reading this in other parts of the world) rather than a 2-seater sports car or a motorbike.

If you apply this model to the IT world, I could be given an allowance for buying or leasing a PC. The operating system could be Windows, Mac OS X or Linux – as long as it can run a virtual machine with the corporate applications. The IT guys can have their world where everything is a known quantity – it all lives inside a VM – where there will be no more hardware procurement to worry about and no more new PC builds when our chosen vendor updates their product line. It will need the IT guys to be able to support a particular virtualisation solution on multiple platforms but that’s not insurmountable. As for corporate security, Windows Server 2008 includes network access protection (NAP) – Cisco have an equivalent technology known as network access control (NAC) – and this can ensure that visiting PCs are quarantined until they are patched to meet the corporate security requirements.

So it seems we can have security, supportability, and usability. What is really required is for IT managers and architects to think differently.

Leave a Reply