(From an email list, someone wanted to know how to block services like MobileMe on the network. Normally I’d offer the advice on how to do it, but this time the first question I asked was “Do you local users have Admin to their own boxes?” To which the answer was “Yes.” -- I edited it to make more sense as a blog post. This is a post intended to provoke discussion, obviously my suggestions and things won’t work everywhere and in all scenarios and an all networks. Keep an open mind.)
We are in a new world, a mass world full of mobility. Take the iPhone. This is a computer, a computer I carry in my pocket, but none the less a computer. I could feasibly get away with leaving my laptop at home the majority of the time with the amount of things that I can get done on my phone. Laptops sales have increased significantly in the past few years, people are buying less and less desktop computers. Laptop speeds have caught up with desktop speeds, and things are much more convenient now.
Blackberries were that way, but the iPhone really sealed the deal. Of course now we have a plethora of devices coming out claiming to be “iPhone killers”. The Palm Pre, the things from LG, the Blackberry Storm, but there is still nothing that can touch the iPhone. You put an OS this powerful in a box this mobile, and viola, you have a mobile computing platform. And the solution to a lot of life's little problems. Why doesn’t Apple make a netbook? Wake up, they already have.
I absolutely could not get away with not being able to have MobileMe (or Google, whatever you use) sync my contacts, calendars, bookmarks, etc from the desktop up to the cloud and back down to my phone. I could not function if I didn't have realtime push for all of that kind of stuff. How would I know about that meeting that I just got invited to five minutes ago? Cause you know, no one is going to actually pick up a phone and call you about it (sarcasm).
What are the users doing that they need these sync services? Is what they are doing enhancing productivity or making their life easier? Probably. Is it a security risk? Can it be mitigated without destroying it?
I don't see a reason why not. The time has come for us a security professionals to stop nuking that which we don't understand/want to deal with, and start understanding why things are being used, how they are being used, and does it help? Instead of destroying everything, let’s figure out services and techniques that will provide our users the level of, well, not only training, but the level of convenience that is useful to them.
There are all these great companies out there starting great businesses to solve companies and life's problems, and attitudes like "we need to stop them" -- for no good reason -- just don't fly anymore. It just doesn't make sense in this day and age. Heck the Army even allows people to go to Facebook and Twitter now. Yes, they can click on bad things and people will download bad things and put them on their machines, but you know what, they are going to do it anyway, they will find a way around your control. Instead of inhibiting them, enable your users. I am not saying let them do what they want, or unblock everything. I am saying, let’s find solutions to their problems, instead of saying “no” all the time.
Yes there are security risks, but there are security risks in everything, right?
How can we make our users lives easier, more productive, and efficient without sacrificing security?
Make sure IT operates and conforms to the company policies, and you will have a much happier and much more productive workforce.