Dealing with User 2.0
Computing has been around for a while and security has grown with it over the last few decades. Increasingly however I'm coming across User 2.0 and I am betting that you are as well. They bring their own particular security challenges that we need to start solving in order for our organisations to grow and compete in the User 2.0 world.
Some of us who are a little bit worn around the edges will remember User 0.1. The world was good. Users had nice green screens in front of them, they could type only those bits that the application needed and securing the environment was a cinch. Well relatively, the mainframe required you to manage users and give access to resources using RACF, ACS2 or even Topsecret. It was however, for most of us, not a very connected word and User 0.1 happily lived in this green glowing environment. They even still knew how to write using a pen and paper!
Then something horrible happened, these new fan dangled things called "personal computer" started to make an appearance. Even worse people realised that if students and the military could have computers talking to each other, then why couldn't they? This is where it started to get trickier for us Security folks. Many of us grew up in mainframe or unix environments and with a few exceptions these were tightly controlled. User 0.5 was born and demanded connectivity from their new PC to the old world of Unix and Mainframes.
User 1.0 came along when businesses started to connect to the internet and conduct business on the internet. Many User 1.0 were upgraded from User 0.1 or 0.5, so they had an almost automatic acceptance of the restrictions and limitations that we as security folks placed on them. A standard desktop environment, with standard applications that cannot be changed. Corporate computers issued to staff, firewalls, content filtering etc, etc, etc.
Security groups also changed their approach over time. Where many initially started as the "thou shalt" people with User 0.1, with User 0.5 they added "nay" to their vocabulary. There were strict controls in place and the usual answer to many requests where security was involved was "NAY". Thankfully this phase didn't last long and with understandable exceptions, most security groups changed their approach and started working with the business rather than against it (Darwin eat your heart out). So today we see most security groups working with the business. With User 1.0 security groups have learned new words "Yes we can, but only if you use this and this and this". But that is ok, User 1.0 isn't giving security groups that hard a time. They are willing to use the applications they have been given. They will learn the tools when they move from company to company. Business objectives are being met and security groups are helping to achieve this. However much of this really does still depend on having standard applications, used by all, few exceptions. There is still relatively tight control over the environment. Yes we have to let things through our firewalls and filters that a few short years ago we would have denied, but they can be managed.
The User 1.0 era however is drawing to an end, they are slowly being upgraded, although not all of them will be fully upgradable to User 2.0 or beyond and a new user has arrived, User 2.0. User 2.0 or Gen Y as some people like to call them are the digital generation and many businesses including their security teams are struggling to deal with them. User 2.0 grew up digitally, vinyl is something that is on the floor, rotary phones is something you see in old movies, and a walkman is someone that takes the dog for its run.
User 2.0 has different expectations of their work environment. Social and work activities are blurred, different means of communications are used. Email is dated, IM, twitter, facebook, myspace, etc are the tools to use to communicate. There is also an expectation/desire to use own equipment. Own phone, own laptop, own applications. I can hear the cries of "over my dead body" from security person 0.1 through to 1.9 all the way over here in AU. But really, why not? when is the last time you told your plumber to only use the tools you provide? We already allow some of this to happen anyway. We hire consultants, who often bring their own tools and equipment, it generally makes them more productive. Likewise for User 2.0, if using Windows is their desire, then why force them to use a Mac? if they prefer Openoffice to Word, why should't they use it? if it makes them more productive the business will benefit.
We have to start managing and protecting the data rather than concentrating all our efforts on the perimeter. The pentesters amongst you know that a large percentage of companies have a hard crunchy outside and a soft squishy centre. If we manage and protect the data then what is used to access or manipulate the data becomes less important. There will always be applications that must be used in organisations, but it shouldn't matter if they are accessed using firefox, IE, Chrome or others. So depending on your security posture it may be ok to allow IM, access to social sites, issue staff with blackberries, iphones, or allow them to use their own equipment and applications. Security person 2.0 just has to deal with it slightly differently. We already know how to do it, many of us have had the stealth upgrade to Security person 2.0. We know how to inspect traffic, control malware, control network flows and control access to data that isn't dependent on a particular way of accessing it. However we do have to start thinking harder about how this can be applied to User 2.0. The reality is that there will be more and more pressure to open up networks, provide more flexibility in the tools available to users, whilst maintaining the security of the organisation and protecting the information. Dancing on that pinhead doesn't seem so hard now does it?
So here is you homework for the weekend. How will you deal with User 2.0? How are you going to protect your corporate data without saying "Nay" to things like facebook, IM, own equipment, own applications, own …….? How will you sort data leakage, remote access, licensing issues, malware in an environment where you maybe have no control or access over the endpoint? Do you treat everyone with their own equipment as strangers and place them of the "special" VLAN? How do you deal with the Mac users that insist their machines cannot be infected? Enjoy thinking about User 2.0, if you send in your suggestions I'll collate them and update the diary.
Mark
I'll be speaking in Wellington on 18 Feb a weather report from the ISC and teaching SANS 401 in Wellington 15-20 March 2010.>
Comments
Hal
Feb 5th 2010
1 decade ago
Mark
Feb 5th 2010
1 decade ago
I guess very few organisations defend their internal services against intrusion as well as those directly reachable from the Internet. In cases I've seen, internal services are left practically wide-open; the assumption being that nobody has the motivation, or technical expertise, to take advantage of that, or that any such action would be detected and could then be dealt with through disciplinary means.
I think the greatest resistance to User 2.0 is that it would necessitate a whole new effort to secure these internal networks.
Modern threats, though, may necessitate this anyway. Conficker sneaking in via USB mass storage devices; malware delivered as encrypted attachments or SSL; browser/XSS/proxy exploits allowing internal services to be reached indirectly. Of course some awkward administrators will try to stop employees from using USB mass storage devices (sometimes all USB devices!), SSL (yes, I've really known this happen!) and maybe JavaScript and browser plugins to try to avoid these problems. But I don't see these approaches working for much longer.
I think, inevitably, things will go two ways. One is to have ultra-restricted workstations for business use (User 0.1-style). The other is to allow anyone to use any device (User 2.0-style), but with ultra-restrictive access to the business services and data. A little of both approaches may work nicely for everyone.
Steven Chamberlain
Feb 5th 2010
1 decade ago
Alan
Feb 5th 2010
1 decade ago
EVVJSK
Feb 5th 2010
1 decade ago
Walt S
Feb 5th 2010
1 decade ago
I strongly agree with Alan that security 2.0 'nomenclature' does not express the real problem
No matter how you slice, dice or cut it, it eventually boils down to trust. Employees (and contractors, but they are under contract) must adhere to company ethics or policies. And I think this is where things can go wrong with whatever-you-call-them (User 2.0/Gen Y).
And that's a social problem...
So maybe we should make sure the people are accountable(more journaling?) and leave societal issues to the HR people.
prontissimo
Feb 5th 2010
1 decade ago
Subzero
Feb 5th 2010
1 decade ago
(initiative) saves me 1 minute per hour X 8 hours a day X 5000 employees X an average base pay rate of $15 per hour = $10,000 per day! We should totally do that!
Justifications like these are invariably flawed and overstate the benefits while ignoring risk or cost expenditures. The truth is that productivity and value is not a fixed rate based upon time, and time savings can easily be filled by other non-productive activities. Costs of deployment, maintenance, training, and other factors can easily overwhelm benefits.
Many user 2.0 personnel simply don’t see the big picture, and are focused upon personal benefit and gain. Many of the technologies that comprise this user 2.0 toolset (social media, consumer software, communications devices) are focused upon personal gain entertainment. There is a place for new initiatives, but not until they can be properly assessed and compared against business need.
BradM
Feb 5th 2010
1 decade ago
mquibell
Feb 5th 2010
1 decade ago