The ever expanding cold war with IT
by Volker Weber
Quoting from an e-mail sent to Jon Udell:
As IT locks down systems in an ever increasing game of black ops, e-mail is just about all we poor users have left. My laptop doesn't have a floppy or CD-RW, so I can't write onto removeable media. The USB port is my current option, until IT discovers I bought a jump drive to move files around. FTP isn't an option, in fact, the FTP ability of IE 6 has been disabled on my machine. My co-workers and I couldn't stop laughing as you rattled off WebDAV, scp, and Radio UserLand. These may be great little secrets for IT people, but at least at our company they aren't made available. We can't even determine what we set as our default browser webpage. Lotus Notes is our mail client, and it's forced to do the file transfer. For a while, several of us received training in Lotus Application Development and developed some great database tools for our groups. IT has removed that ability. They only support work they developed, and even if you agree to forego support, development by users is not an option. In the ever expanding cold war with IT, my fellow Engineers and Technicians have now retreated to the MS-Office applications. Converting our former Lotus Notes apps to Access with VBA has given us power to develop flexible tools...for the time being. Last week we discovered our ODBC connection between Access and Notes had been disabled. Another battle in the war.
Been there, done that. In some companies IT put themselves into the role of the enemy. They are not an enabler, but an inhibitor. User don't rely on IT to help them build a solution, but they are seeking ways to fly under the IT radar in an effort to not being shot down. IT wins a few battles at the expense of being a part of the problem instead of the solution.
If this looks familiar and you are at the IT end of this situation, you'd better run and find a new job.
Comments
Of course, it’s not necessarily that cut-and-dried. In my experience the “inhibitors” are often legal departments or risk management specialists.
There are many IT outfits who simply lock stuff down for the hell of it — we’ve all come across those people — but just ask yourself whether the IT dept. is truly at fault in your organisation.
We have a security officer who forces the IT lockdown. We use a package called DeviceLock that locks down every part of the hardware, it's a great tool and easy to implement and control who has access to what. We also enforce screensavers for everybody in the company, the browser homepage is always the company intranet.
The other reason that IT are seen as inhibitors is that they are sometimes forced to shoot down requests as they might effect other systems on the network. End users don't see the full picture or realise that the next IT request they make is yet another system that IT have to support and goodness knows there are plenty of system to support in any company big and small.
It is probably a sensible decission to lock systems, that do not need a data transfer mechanism. However who is it to decide? I remember working in a bank, where IT blocked the roll-out of an PKI infrastructure because they didn't get the hardware based key management they fancied. As a result all customer communication (until today) runs unprotected...
Lock down all ports: users start forwarding documents to external emails (happy sniffing).
A sensible lock down policy: a user request to transfer data (one off, temporarily or permanent), gives a justification. Then it becomes IT's responsibility to provide a sensible solution to address that need. It wouldn't need to be the mechanism the user had in mind...
I suggested that concept once and nearly got stoned by the security department ("It's not our task to propose solutions, but to ensure security").
;-) stw
I had a company that explored the idea of locking down the desktop so that you couldn't run any applications that were not part of the chosen few, and especially prevent access to the DOS command line (this was a while back). I told them it was a losing battle. They hired a consultant to lock down Lotus Notes. I went to a discussion forum as typed:
@Command([Execute]; "command")
into the subject and pressed Shift-F9 (during a meeting where we were supposed to evaluate the consultant's efforts in this regard. After that, they decided maybe it would be better to "trust and train" rather than "lock down".
That would be theater security as seen in many organizations.
IT would not allow a shared team space, unless it is encrypted, can only be accessed via SSL, forces the (casual) users to change passwords every 30 days, runs user management through IT instead of the LOB people who are responsible. Solution: Everybody sends everybody else e-mail attachments. Completely unprotected with no retention mechanism.
You have a front door with 12 locks. But the window is open.
I spent once something like 2 weeks to implement a workflow process with defined roles and views / forms with restricted access. "Only the directors should be able to read those".
I tried to talk them out of that restrictive security design before I started, but no, hierarchy had to be transferred to the system.
When I presented my work on the real life system and the Notes Login of the director showed up, I gave him the keyboard to type his password. "Oh no, you go ahead, we all [meaning everybody in this firm] have the same password, it's ----- ".
Aaahhrrrgg - I wanted to hammer him with the keyboard till...
Not only did they use that password for Domino, but also for the login of Windows 2K, which could be booted from any computer in their LAN. And no, they didn't want to change that, "it's too much hassle".
So much for leaving windows open ;-)
