After yesterday's blog on SOEs (The problem with Standard Operating Environments), a friend told me about 'her' adventures, working at a multinational manufacturing company (I haven't asked its name!) She is a technical sales engineer, so her job involves very large drawings, and she is just as often working from the client's site as she is working from the branch office or at home. The SOE provides a VPN.
Over the years, the IT section has been pro-actively trying to improve security, to lock the system down, and keep commercial information safe. However, these steps also prevent the engineers from getting their jobs done, so they are all circumvented. The more that the official, central SOE is locked down, the more that the remote users have banded together to make their own unofficial SOE that doesn't get in the way.
- First, it was decided to encrypt all laptop hard disks. And that they should be backed up over the VPN to central office. My friend did this once, but it was painfully slow over the VPN. Her disk did crash, and she then found the central office couldn't actually restore the encrypted disks. So now she backs up privately to a USB drive. Unencrypted, unmanaged. Big improvement!
- Next, it was decided to add better passwords to the ERP and accounting systems. Again, people could not do their jobs, so everyone in the office pools their passwords. Now everyone can use access almost anything with the logging records meaningless. Another big improvement!
- Next, it was decided to remove the provided Web mail interface, for security purposes. However, the VPN being too slow, the engineers got Yahoo mail accounts and mailed their drawings to clients that way. Because they were not allowed to load their own software onto the secure SOEs of the laptops, they used memory sticks with Firefox and IrfanView installed. This spread from engineer to engineer: the result is that the engineers have made their own unofficial SOE loadable from the memory sticks.
- Why IrfanView? The SOE had an old official program for displaying drawings, but it did not actually cope with recent data formats. My friend could not even scan her own technical drawings in to her computer. So off she went to PortableApps.com and loaded IrfanView from there. And now she can hook up her own peripherals.
- The SOE included access to an ERP system, from a big three-lettered company. However, if they want to do things like sorting information in a certain way, they would have to request a programmer to get it done. (I am not saying that is a necessary limitation of the ERP system, but it is certainly what the engineers have been told.) So the result is that many of them use private databases (Lotus) to get the sorting and reporting. (It is the story you hear with private use of Access databases too.)
- And here is my favourite. The company provides a large sensitive list of information to its sales and technical people. In order to prevent it from being read by competitors, it is in a password-protected PDF file with watermarks and cut-and-paste disabled. So the engineers, because they need to cut-and-paste to make up their document (re-typing the information being a lengthy and error-prone procedure do this:
- they open the PDF document in Acrobat Reader and save as XPS,
- they open the XPS in Microsoft's XPS reader and save as unencypted PDF
- they open this PDF in Acrobat Reader and they can cut and paste to their heart's content.
The lesson I draw from this is that security is being treated by the central IT as a technical problem to be solved bureaucratically. But it is not a technical problem, but a human problem: the central IT people are failing to engage their users, and getting in the way of them completing their tasks. The more that an inadequate SOE is imposed, the less that it will be actually used: how else could it be?
Now of course you can say that it is the engineer's job to fulfill company policy. But it is the IT security people's role to be effective: it is what they are being paid for.
The PortableApps website actually calls PortableApps a platform, which is very sharp of them. In my friend's case, it is the SOE that the user's themselves have chosen, with modern, free, open, best-of-breed software.
The ability of technical users to completely circumvent imposed SOEs in the name of doing their work surely has a flipside: in the same organizations there must be non-technical users who are actively prevented from doing their work because of imposed SOEs made with the same inability to capture user requirements.
Once you say "We must have a Standard Operating Environment" without user engagement, this opens the door first to single source purchasing (surely they will all fit together better and we will save money licensing) and thence to deals made over drinks at the golf club rather than on detailed technical rationale.
The ethos of engineers is problem-solving: pushing through whatever obstacles are in their way. If you had an engineer who didn't attempt to circumvent what they regarded as bogus security measures imposed without consultation and which was an obstacle to doing their job, you probably would sack them for not having a can-do attitude, or for shifting the blame!