FoxTalk

The Game

Information services are critical to modern business. Email has has become ubiquitous and most communication on which business relies would be impossible without it. Providing at least email and web access is mandatory to business nowadays.

Managing information services in your enterprise is difficult. One must make trade-offs between security and usability. Your users (and probably the boss) want usability, while common sense and (in many sensitive industries) the law requires high security.

How can you hope to make the best trade-off between the two?

The Players

The users want an unlimited network experience. They want to be able to access online collaboration tools, they want to take their laptop and work from anywhere; and they want wireless access in the office so they can work from the couch on occasion. The user has become technologically clued up and will use online tools to help with every aspect of his job – usually with little thought to privacy and security.

You, as the network administrator you want security. You want to block access to external mail providers, instant messaging, VoIP, file sharing and social networking sites. Why wouldn’t you? Once sensitive company information is on a web service you don’t control you’ve lost control of the sensitive information; how can you tell who is reading it?

The Myth

• Blocking everything non work related (Facebook, Hotmail, etc) will make my users more productive

This is not actually correct. If you take the time to block these sites your users will take the time to find ways around your blocks. This may range from as harsh as cracking your systems to circumvent the block to something as trivial as coming to work late or taking longer lunches in order to sit at a cafe with their laptop on wireless and catch up with their personal sites.

It is more beneficial to allow (but monitor) use of these sites. If users are aware they are being monitored they will keep their use to a reasonable amount and focus on work.

The Blow By Blow

Achieving balance requires providing users with the resources they want and need. Retaining control of the resources mitigates the risk of information leakage and security breaches. Simple tools such as a web mail server and wiki which are accessible outside the company can make all the difference. You will be able to protect these tools with SSL and require authentication to use them – something that a lot of free online providers can’t or won’t do.

Moving further, providing a single sign on tool can make a huge difference; users could have a dozen weak, easy to remember passwords or a single strong, slightly difficult to remember password. Microsoft provides this through Active Directory and NTLM on most of their products. Software from other vendors supports at least LDAP, and many can be rigged to speak NTLM if required. It’s possible to get most *NIX machines authenticating against NTLM or Windows talking to LDAP if needed.

More advanced services may be provided if the users have enhanced needs. A VPN can make a huge difference for road warriors. Make sure the VPN server is highly secured and ensure it can route directly into the company network – without NAT – and the company routers can route back to the VPN. Your firewall can then open up the services that are needed over the VPN.

Making a VoIP extension of your PBX available over the VPN will allow users to place and receive calls as easily and cheaply as when they are in the office, without resorting to running up huge mobile or hotel phone bills or using their kinky_kitty69 screen name to communicate with business contacts.

Wireless network access is a vital tool of late. Provide good wireless coverage in your organisation. Tie it into your company’s central authentication database so the user’s regular login will allow them to authenticate their wireless connection. If you fail to provide or make wireless too difficult then users will resort to plugging their own (usually unsecured) access points into the network.

In many cases users will download and try tools to improve their work. This can be mitigated by granting only the permissions needed for the user to do their job. The downfall of this is that it’s rather limiting, and in a lot of industries where interfacing to hardware (electronics, manufacturing machines, robotics, etc) is required the user may need to run as an Administrator on the machine to talk to the hardware and this also grants them the ability to install software on their machine.

The SNAITG (Sensitive New Age IT Guy)

The IT admin should regularly engage the users and be aware of their changing needs. An open door policy to getting things done is the easiest way to ensure your users don’t go behind your back and do things themselves. If you are approachable and willing to help the users with their needs then they are more likely to come and see you rather than hacking it together themselves.

Staying aware of what tools the users are finding useful is also vital to this strategy. If there is talk of a particular service being trialled, it pays to go and learn the basics. If it looks like the service is gaining traction preempt the users and configure it on a server you control rather than trusting a user to run it from his or her desktop PC. Being seen to be proactive and helpful will keep the users coming to you to ask rather than doing it themselves.

The Post-Mortem

Being proactive about monitoring is also important. Some users will invariably go against you no matter if you indulge their needs or not. Being able to identify detrimental activity on your network useful. Being made aware as soon as something bad happens allows rapid action to be taken. Being able to identify who did what is beneficial when it comes to rapping knuckles for inappropriate behaviour.

A good proxy server can filter inappropriate material and log users web browsing activity in real time. This reduces the tendency to perform non-work related tasks on the Internet, and allows accounting for those times when it may be required.

Network monitoring software can scan your network looking for new services, verifying the availability of known services and ensuring that no unauthorised software is installed in the user’s desktop PC.

NetFox provides both of these services and more. Please see http://www.netfox.com for more information.