
Why corporate IT should unchain our office computers - kqr2
http://www.slate.com/id/2226279/pagenum/all/
======
TomOfTTB
There is an argument to be made for less restrictive IT rules. As someone who
sets the policy for an IT department I tend to allow any of the normal sites
on the theory of "people with computers should be trust worthy already and
those people have lunch breaks so why not trust them with access to sites like
Facebook or Myspace (at least until it's abused)"

But this author is a tool.

First, anyone whose dealt with consumers in general knows that most computer
users get themselves into trouble doing benign things. For example, in my
experience, most people get malware while searching for pictures on Google.
They find the picture they want, click on it and before you know it they're
infected. So how trustworthy they are isn't really an issue.

Second he dramatically misunderstands the laws he quotes. On Sarbanes Oxley
Gmail IS a violation because S.O. requires the companies themselves to archive
all e-mails. So if he leaves and takes his gmail with him than he'll have an
archive but the company will be in violation. As for his fiance, the Medical
Professional that can't use IM, any IT person in Health Care will tell you IM
programs are a HIPAA violation because they allow for encrypted transfer of
files and hence represent a risk to medical records (I work for a mental
health organization and we have to scan at our firewall for files going out
and have protection software to prevent certain files from being copied to
flash drives)

I guess what I'm saying is there are certainly IT people who take security too
far. But, as this writer proves, there are also users who ask for too much.

~~~
mattmcknight
Why should an IT person get to decide what sites are non-productive?
Ridiculous.

I like this article on Google's approach:
[http://www.cio.com/article/144500/IT_s_Third_Epoch...and_Run...](http://www.cio.com/article/144500/IT_s_Third_Epoch...and_Running_IT_at_Google)

"On Sarbanes Oxley Gmail IS a violation because S.O. requires the companies
themselves to archive all e-mails. So if he leaves and takes his gmail with
him than he'll have an archive but the company will be in violation." The
article clearly stated he was forwarding his email to gmail- so you are the
one that has it wrong, the company would still have a copy. The problem here
would not be SO compliance, but rather corporate document retention
(destruction) policies where they want to get rid of records as soon as it is
legal to do so.

"any IT person in Health Care will tell you IM programs are a HIPAA violation
because they allow for encrypted transfer of files" Do you mean unencrypted?
Regardless- I can think of 100 ways to transfer an unencrypted file. Why
single out IM, which has many useful properties.

Here's what's happening in the real world- the corporate network/desktop that
is overly locked down gets circumvented. People bring in laptops and use cell
modems, people use their phones, people install virtual machines.

~~~
TomOfTTB
I really don't know how to answer your first question without sounding a
little rude so you'll have to forgive that but the bottom line is if the IT
dept. gets to pick which sites are productive it's because the company has
entrusted them to do so and the company owns the equipment so it's their right
to control how it's used. Though a good IT dept. will listen to individual
employees and allow sites they might not normally allow if there's a good
reason.

On Gmail the question was "why were they banning Gmail" not was his personal
use of gmail a violation so the point still stands (though I'll admit I read
it wrong)

Finally, if your security gets circumvented than your security is flawed. Any
IT department that chooses not to implement security on the argument that it
will inevitably get circumvented probably needs to re-evaluate how they're
handling things.

~~~
tptacek
Most financials don't care if it's your personal email you're going out to
Google for. I've seen people get fired for that --- and just for that.

------
mbubb
This article is depressingly bad.

Even a sysadmin runs their computer as root or sudo 2% of the time and should
not run non-SOP software on a work computer...

How could you manage giving regular users the ability to install while
maintaining a secure environment?

On our networks website restrictions are for bandwidth reasons not for 'net-
nannying' reasons. And occasionally be have to adjust for silly dansguardian
mis-flags...

But how can you seriously argue what this guy is putting forth?

I have played with the idea of giving users a VirtualBox install of Win XP
that they can trash to their heart's content while having a more secure Linux
desktop for the work applications (Firefox/ Thunderbird/ OpenOffice). But I am
not convinced that is really secure. But that is more the way to go with
something like this.

~~~
mattmcknight
"How could you manage giving regular users the ability to install while
maintaining a secure environment?" Don't put your important data on the
desktop. An intranet app over VPN is definitely safer than walking around with
the company data on a laptop.

I like your idea of giving people an virtual machine to worth with. I use
virtual machines to do a lot of real work (as a contractor) where the
corporate IT policies don't let you do work.

------
jaydub
I wouldn't be surprised if in a few years more tech savvy employers
require/allow employees to bring their own computer. With better "type 1"
hypervisors, you could have your Home OS image and your Work OS image running
at bare metal speeds with the ability to simply flip between the two.

Employers could save money and employees could do whatever they wanted on
their "home" OS.

------
kqr2
Perhaps this would be better as an Ask HN:

What kind of IT restrictions (if any) do startups here impose as they grow
beyond founders?

~~~
RyanGWU82
I work for a software startup that has grown to about 30 people. Last month we
had a "security week" where the entire engineering team worked on. As usual,
we audited our own product and wrote some code to make things more secure. But
we also found that our internal desktops were one of our biggest -- and most
unprotected -- attack vectors.

In response to that, a couple of our engineers developed an IT policy for
corporate computers. These are laid out as relatively straightforward
requirements, like "you must not use IE 6", or "you must edit the registry and
change the default timeout of the Beezlebop service."

These prescriptions were written up as corporate security policy, although
employees are trusted and no one is policing it. If you have a legitimate
business need to ignore a policy, like needing IE 6 around for testing, then
no one's going to stop you. But be smart about it and don't use that browser
to download warez.

I like the free and unrestricted nature of working for a startup, but I
completely understand the rationale for these policies. Everything they
recommended was due to known security holes and known vulnerabilities in
default installations. It's irresponsible NOT to fix these holes. If our
security was compromised because of a long-known Windows attack, it would make
us look awfully stupid.

------
jaaron
What does everyone think about the idea of having fairly minimal IT
restrictions, but requiring the use of tools like Rescue Time? Would you take
that tradeoff?

