An SOE comedy of errors

PortableApps as a guerilla SOE

By Rick Jelliffe
February 3, 2010 | Comments: 6

After yesterday's blog on SOEs (The problem with Standard Operating Environments), a friend told me about 'her' adventures, working at a multinational manufacturing company (I haven't asked its name!) She is a technical sales engineer, so her job involves very large drawings, and she is just as often working from the client's site as she is working from the branch office or at home. The SOE provides a VPN.

Over the years, the IT section has been pro-actively trying to improve security, to lock the system down, and keep commercial information safe. However, these steps also prevent the engineers from getting their jobs done, so they are all circumvented. The more that the official, central SOE is locked down, the more that the remote users have banded together to make their own unofficial SOE that doesn't get in the way.

  • First, it was decided to encrypt all laptop hard disks. And that they should be backed up over the VPN to central office. My friend did this once, but it was painfully slow over the VPN. Her disk did crash, and she then found the central office couldn't actually restore the encrypted disks. So now she backs up privately to a USB drive. Unencrypted, unmanaged. Big improvement!
  • Next, it was decided to add better passwords to the ERP and accounting systems. Again, people could not do their jobs, so everyone in the office pools their passwords. Now everyone can use access almost anything with the logging records meaningless. Another big improvement!
  • Next, it was decided to remove the provided Web mail interface, for security purposes. However, the VPN being too slow, the engineers got Yahoo mail accounts and mailed their drawings to clients that way. Because they were not allowed to load their own software onto the secure SOEs of the laptops, they used memory sticks with Firefox and IrfanView installed. This spread from engineer to engineer: the result is that the engineers have made their own unofficial SOE loadable from the memory sticks.
  • Why IrfanView? The SOE had an old official program for displaying drawings, but it did not actually cope with recent data formats. My friend could not even scan her own technical drawings in to her computer. So off she went to PortableApps.com and loaded IrfanView from there. And now she can hook up her own peripherals.
  • The SOE included access to an ERP system, from a big three-lettered company. However, if they want to do things like sorting information in a certain way, they would have to request a programmer to get it done. (I am not saying that is a necessary limitation of the ERP system, but it is certainly what the engineers have been told.) So the result is that many of them use private databases (Lotus) to get the sorting and reporting. (It is the story you hear with private use of Access databases too.)
  • And here is my favourite. The company provides a large sensitive list of information to its sales and technical people. In order to prevent it from being read by competitors, it is in a password-protected PDF file with watermarks and cut-and-paste disabled. So the engineers, because they need to cut-and-paste to make up their document (re-typing the information being a lengthy and error-prone procedure do this:

    • they open the PDF document in Acrobat Reader and save as XPS,
    • they open the XPS in Microsoft's XPS reader and save as unencypted PDF
    • they open this PDF in Acrobat Reader and they can cut and paste to their heart's content.
Basically, whatever the central IT department does in the name of providing security is immediately circumvented in the field in order to get the job done. The field engineers are just as smart as the IT engineers.

The lesson I draw from this is that security is being treated by the central IT as a technical problem to be solved bureaucratically. But it is not a technical problem, but a human problem: the central IT people are failing to engage their users, and getting in the way of them completing their tasks. The more that an inadequate SOE is imposed, the less that it will be actually used: how else could it be?

Now of course you can say that it is the engineer's job to fulfill company policy. But it is the IT security people's role to be effective: it is what they are being paid for.

The PortableApps website actually calls PortableApps a platform, which is very sharp of them. In my friend's case, it is the SOE that the user's themselves have chosen, with modern, free, open, best-of-breed software.

The ability of technical users to completely circumvent imposed SOEs in the name of doing their work surely has a flipside: in the same organizations there must be non-technical users who are actively prevented from doing their work because of imposed SOEs made with the same inability to capture user requirements.

Once you say "We must have a Standard Operating Environment" without user engagement, this opens the door first to single source purchasing (surely they will all fit together better and we will save money licensing) and thence to deals made over drinks at the golf club rather than on detailed technical rationale.

The ethos of engineers is problem-solving: pushing through whatever obstacles are in their way. If you had an engineer who didn't attempt to circumvent what they regarded as bogus security measures imposed without consultation and which was an obstacle to doing their job, you probably would sack them for not having a can-do attitude, or for shifting the blame!


You might also be interested in:

6 Comments

The first company I worked for had an SOE. I ended up using the portable Firefox from the PortableApps.com website which made me happier and allowed me to do my job better.

Fantastic story, and very true.

About the 'protected' PDF;
Users get very upset when a piece of software seems to be able to do something, but doesn't offer it, or gets in the way of offering it (like being able to copy-paste).
A lot of these 'protections' are really infuriating users and as a result are pushing them towards trying to circumvent things they feel are unacceptable behavior of the app (DRM is another good example).
It's human nature.

The SOE experience is just a symptom of a much larger problem with corporate IT.

When an IT organisation creates a significant amount of rigour and process around the development and maintenance of the "systems" it maintains the more "critical" the "UNOFFICAL" IT systems become to the business. How many businesses rely on the data stored in a miriad of Excel spreadsheets? I have spent a reasonable amount of time working with "business units" in companies on trying to get IT engaged to solve their problems in a reasnable timeframe. There is a distinct possiblility that businesses will embrace cloud hosted solutions as a substitute for the "offerings" of their IT organisations.

Bill: Interesting comment. Are you saying that you think a natural market for cloud computing is to provide the necessary ad hoc peripheral infrastructure of an organisation, rather than the centralized infrastructure?

Since the cloud brings with it (one hopes) advantages like access, security, grunt and backups, the cloud could be a sweet spot between over-managed and under-managed?

My comment about using cloud based solutions wasn't about infrastructure but the opportunity for "agile solutions vendors" to deliver solutions to the business units that corporate IT departments cannot because of their inability to respond to help business units address issues and opportunities in a timely manner.

The is an opportunity to provide professionally built software (ie. designed, tested and deployed) for problem spaces where the cost of software is less than the cost of producing a business case (i.e. within the discretionary spending authority of a business manager). The major challenges are in establishing a low cost (per project) effective governance framework.

"The lesson I draw from this is that security is being treated by the central IT as a technical problem to be solved bureaucratically."

I see this every single time an exec or VP steps in when we're deciding on hosting and security plans for a website project at our web design shop. They user their authority to make decisions about things that are outside of their realm of expertise. To say it's frustrating is quite an understatement.

Nice post!

News Topics

Recommended for You

Got a Question?