Back to Top

Saturday, February 24, 2007

Managed security

It is funny (or sad, depending on how you look at it) when you realize that all modern OSs have the ability to run with a very high safety level (where 99.99% of the security issues don't affect them), yet malware is so widespread. Some people who get blamed for this are:

  • Microsoft for making Windows insecure.
  • Users for clicking on everything.
  • Administrators for lax security policies.

However lately I started to see a much bigger problem at the root of all this. A problem of expectations, fueled by marketing from as early as the first PC's came out, which in turn created even greater expectations which the marketers tried to satisfy. This expectation is that computers just work. That they are similar to toasters in that you just plug it in and immediately you get a return from it. What these expectations / marketing don't include is the fact that you need training on how to use your computer in a responsible manner otherwise you will be hurting yourself on others in real financial terms (just dig up some statistics how much phising and spam costs yearly). This training is needed in addition to anything you need to learn about how to do your job effectively.

In companies this management can be done by the IT team. An ideal scenario would be (and I'm talking from a Windows perspective, because most people use Windows) to use software restriction policies with a default deny setting and to enable only areas which are necessary for the system to function, but where users have read-only access (for example the windows folder and the program files folder). Warning! This is only an idea! Be sure to only test it on a spare computer since toying with these settings can very quickly render your system unusable! This would a very big step towards security. (I'm inclined to say that perfect security, but I have to remember that security is a process, not a state).

There are at leas two problems with this:

First, the users might not take such level of control by the IT very lightly. This is especially true for power users who are accustomed tweak and manage their own computers at home. But even regular users might resent the fact that they can't use Yahoo Messenger or Winamp. In your contract it may say that only applications approved by IT can be used, but if you start enforcing that and your valuable employees start to leave, that policy is the first to go. This can be mitigated by having a policy of installing for the user the applications she asks (as long as they are legal of course). This still isn't the perfect solution since it can become hard to manage when the number of users per administrator start to grow. Also, every application which gets installed just enlarges the number of vulnerabilities you might have to deal with (both of the applications mentioned before - Yahoo Messenger and Winamp - had their share of remote code execution vulnerabilities). An other aspect of it is that while you might have a positive attitude against installing third party software, the users might still resent the fact that they have to ask for permission to do so.

The second and even bigger problem in a corporate environment is the problem of superiors (CFO, CEO, etc) who usually have laptops which they expect to be able to use at home for non-work related issues where asking for permission from IT is not a very good option. And they also share their laptops with members of the family, etc. While these actions should be disallowed by policy, the imbalance of power between a sysadmin and somebody higher up makes the enforcement of such policy a very delicate balancing act at best and impossible at first. And remember: security is still looked at as an add-on - the usual mentality is to make it work first and (eventually, if ever) make it secure.

If implementing good security measures is such a hard thing in a company, home users must be (and indeed are) much worse off. So we should try to bring the home users (which probably outnumber corporate users) up to the same standards as companies use (which, as we've seen earlier isn't all that great either, but it's better). One approach would be to sell subscription services for remote management. Such a service would consist of somebody logging in to your computer from time to time or when you have problems and making sure that everything is ok, to install applications or to help you out. This service would serve essentially as your personal help-desk. While such an approach would greatly reduce the problem of malware and spam, there are many roadblocks in making it wide-spread:

  • First and foremost the problem of control. People like to be in control. And if they see such a service as giving up control, it won't be adopted. But not all hope is lost, since this is a perception thing. We don't feel that we lose control just because we have to go with our cars to the mechanic for a yearly checkup or because we have to call a plummer if a pipe is broken. With the right marketing it could be overcome and after some time it may become embedded in the culture, so that no further advertising is necessary.
  • An other problem is privacy. When you give up control at such a level, you have to trust the other party not to misuse that trust (not to read your documents, to make transactions in your name). This can be solved technically (you having an encrypted area to store your personal information to which the company servicing the PC has no access), legally (to stipulate these things in the contract) or preferably both.
  • A third problem would be that of people who insists on managing their own computers (geeks, power users, etc). In the first phase they would have nothing to loose since the usage of such a management service would be purely voluntarily. Later on, when it may be dictated by law, there are several possibilities: they might be exempt from using these services if the can prove that they have adequate knowledge. Such test however should account for the fast pace of change in the computer technology and should include provisions for re-testing periodically (and preferably short periods - six months to a year). An other solution would be to make such people pay some form of tax. This would be arguably less fair, but it would be an other option non the less.
  • An other problem would be technology. Remote desktop products are not perfect (or should I say that the best-effort delivery networks are not perfect) and even with a high-speed internet connection the sometimes have to wait for the network. This results in frustration (for the one trying to use the connection) and reduced productivity (which equals increased cost if a per-hour billing system is used). This problem can also be solved by using more command line tools (and with the arrival of PowerShell Windows starts to get an acceptable command-line environment) and even more high-bandwidth solutions.
  • Finally there is the problem of costs. Most people in not-so-rick countries don't even want to pay for the software, much less for some computer service. High-speed connections becoming more and more widely used in such countries means that this needs to taken into account (because high speed internet = high speed spam or more bandwidth for DDoS many times).

Given all these problems, will managed security become reality for home users? Maybe. It would be a big step forwards in reducing security threats for home users because (still) humans are the most versatile tool which can easily be repurposed. The problem with traditional security tools is that many users don't realize that they need an other security tool (for example it took years to get anti-viruses accepted as a need) and when the education comes from vendors, many times it is dismissed as marketing (which it is, but it may partially be true).


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.