So Easy Even a Child Can Do It
Two recent events involving my children may hold some relevance for those of you who toil protecting users and corporate data from the dangers of the outside world. Not that I'm suggesting that your users are children per se. But mine are.
Like many of you, I treat my home environment like a miniature version of the larger, more managed environments we typically see at work. I have a domain and a Windows 7 workgroup, portable and desktop computers, mobile devices, connected entertainment devices, printers, and users, in this case my wife and kids. I'm the overlord of this environment, and I like to set things up to require a minimum of hands-on attention.
I have two stories to tell. One speaks to the positive effects of empowering and trusting users. The other, to the dangers of the consumerization of IT and of putting too much trust in common sense. Is there a single lesson to be learned here? Perhaps. But if you can learn from my mistakes at the very least, please do so.
On the more positive note, I've always felt that securing Windows was a far simpler task than many make it to be. I've argued for years, literally, that Microsoft should simply include anti-virus/anti-malware in Windows, closing off the only major functional security hole in the product. Instead, Microsoft has evolved its basic security offering, now called Microsoft Security Essentials (MSE), into a free product for individuals. And it has created a number of useful (but not free) security products for businesses of various sizes. The latest of these, Windows InTune, is a managed cloud service that is currently in beta and due for final release in early 2011. I'm using it to manage many of the PCs in my home environment right now, and it's my kind of management solution, with a set-it-and-forget-it, hands-off vibe. It just works.
The client security components in InTune are based on MSE, which one could argue is pretty much the minimum when it comes to protecting a Windows-based PC. And yet, it's been enough. My kids' computers, still on MSE, and the other PCs in the house, based on InTune, have never succumbed to any electronic threat of any kind. In fact, I just performed a regular check of my kid's PCs late last week. For two kids that spend a lot of time on YouTube, playing Flash-based games online, and chatting with friends on Facebook, their PCs are notably devoid of issues. In fact, they were perfectly clean, as they've always been.
This is amusing to me because my kids are 8 and 12 years old. You may have heard about the ZD blogger who, in late April, announced he was compromised via Facebook and forever banishing Windows to a virtual machine; he would run Linux as his primary OS going forward because Windows, he said, was no longer safe "due to the constant threat of malware."
I'm not saying that Windows isn't under constant attack. Of course it is, as it's the primary computing platform on the planet with over 93 percent usage share. But if my kids can use the Internet, every day, successfully and safely, I'm curious to know why this guy can't. And while I've often said that basic security controls plus an iota of common sense should be enough for most people, my kids have no common sense at all. And their PCs, again, are completely clean, and have been for the past year.
I was pretty proud of my kids on Friday. Unfortunately, they are kids. So it only took another 48 hours for me to realize that my pride was misplaced. Checking my email on Sunday--like many of you, my schedule has no understanding of weekends or pseudo-holidays like Father's Day--I was surprised to see a number of emails from Apple's iTunes Store. Uh-oh.
The first one was a receipt for a bill totaling $159.36. Then one for $180.57. $159.36, twice more. $172.08. And $53.11. All told, over $880 had been charged to my debit card, the money directly removed from our checking account.
Looking over the charges, I discovered that they were all due to in-app purchases from some iPhone/iPod touch game I had never heard of. My kids, upstairs tapping away on an iPod touch, had somehow managed to rack up these charges "buying" in-game trinkets that they assumed were free, using pretend money. (The game itself was free.)
Long story short, Apple, amazingly, reversed all of the charges after a frantic phone call. (In fact, they were notably gracious about this.) My kids were given the Fear Of God (tm) speech. And the iPod was locked down using some built-in Restrictions controls I had never really paid much attention to before. Yes, the barn door was finally closed.
What this second episode triggered in me was a reevaluation of the recent trend in the consumerization of IT. This is a big deal these days, and it's something we've seen with readers of Windows IT Pro Magazine, and something that Microsoft has seen as well. That is, in the past, IT was able to restrict the entry of consumer devices and technologies into the workplace. But with consumer technologies racing so quickly ahead, workers are now expecting access to the same technologies and capabilities at work that they have at home. And increasingly, IT departments are simply caving, either due to cost concerns or because they are simply overworked.
The most obvious (if personally painful) example of this is the iPhone: Excited by Apple's then-new smart phone, CEOs and other executives started demanding that they be able to use the iPhone a few years back even though, at the time, it wasn't manageable in any meaningful way. (Unlike with traditional smart phones like Blackberries and Windows Mobile.) And as iPhone usage grew, more and more users began demanding the devices as well. (To be fair to Apple, the iPhone has steadily improved its IT readiness. This is just an example.)
Today, many companies simply allow users to use whatever smart phone they prefer, and in fact many are "saving money" by letting them use their own phones. There are only minimum requirements--they need to be able to access the corporate Exchange account, perhaps--but very little, if anything, around security.
This trend may ultimately prove disastrous. The corporate version of $880 in MasterCard charges is the employee who, unknowingly or not, plugs in an unprotected USB device, copies corporate data onto it, and then goes out into the world and loses the device or hands it over to a nefarious party. I can't afford to lose $880, and I'm guessing your business couldn't afford a similar type of loss either.
As to whether there's a lesson to be learned from this, maybe so. When it comes to protecting corporate resources, the minimum is often enough. But our understanding of what that minimum is needs to be adjusted. Given the proper level of security, users should be able to function, get their jobs down, and feel empowered. But some level of constraint is still required. Finding that balance is, of course, the goal. And it's one that I'm still struggling with as well.
An edited version of this article appeared in the June 22, 2010 issue of Windows IT Pro UPDATE. --Paul