Above All Else…
I’m seeing a growing trend of compliance/policy enforcement tools avowed as security solutions, attempting to capitalize on the waning abilities of existing protection technologies to secure information and infrastructure. Collectively, we Bromides have typed many a word on why blacklisting solutions are ineffective at protecting against modern APTs. But we have given only minimal coverage to whitelisting solutions, which are likely necessary for compliance purposes in some industries – but nonetheless may well end up making the enterprise less secure than before.
If we adhere to Simon Crosby’s definition of Consumerization as “users circumventing policy in search of productivity” then it’s easy to understand the security ramifications of Shadow IT adoption. When IT doesn’t give users the applications, devices, and tools they need to be happy, productive employees, those users seek utility elsewhere, like the internet and app stores on their own phones, tablets, or PC’s. The term “Shadow IT” sounds so clandestine, but it’s really just the IT policy perspective on Consumerization.
I spent the first ten years of my life in Israel living next to Haifa University in the shadow of Eshkol Tower. My mother was still finishing her degree there, and every so often she would take me along. I was brought up largely secular, so I grokked holidays and such as “days off” rather than “holy days”. I was an inquisitive kid, an attribute that didn’t really get me into any heretical problems until one fateful Saturday morning, having stepped into an elevator in the tower, I noticed the buttons didn’t work. The elevator stopped on every floor without input. It was a Shabbat elevator, which means it had a Shabbat module, and Shabbat mode was on.
In Exodus 31:12-17 God tells Moses to tell his people not to work or light fires on the Sabbath. Then in Exodus 35:2-4 Moses tells everyone, and thus the policy is propagated. The punishment for noncompliance? Death. In his day electricity only came in the form of lightning from the sky, and there were no skyscapers, so Moses can be forgiven for not thinking ahead to light switches, microwaves, and elevator buttons. However, all of these tools have since become part of our daily lives, leaving devout Jews in a kosher pickle: since using electricity is akin to kindling a fire (think: sparks), how can the Cohens keep up with the Joneses in a world increasingly dependent on electricity when divine policy explicitly states using electricity on the Sabbath is out of compliance (and lest we forget, punishable by death)? And unlike some rules which may be vaguely open to interpretation in the bible, this one is very specifically spelled out: “Ye shall kindle no fire throughout your habitations upon the sabbath-day.” Thus, no turning things on – or pushing buttons in elevators.
But then some wisenheimer said, “Vait vait vait- it says no starting fires, but vhat if the fire vas already started? It doesn’t say I can’t have kindled my fire before Shabbat… Ah-cha! Honey, call my agent I’ve gotta patent this thing.”
Enter the Shabbat industry: an entire business model dedicated to keeping devout Jews in compliance with divine policy while creatively circumventing it – in search of enablement (there’s even Shabbat toilet paper).
So when IT decides to play Moses and declare a policy or implement software that puts users in a box, the expectation should be that users will find a creative way around it (and that the bad guys will find a way in), all while ostensibly in-policy. A CIO recently told me that when he proposed changing IT policy to officially allow employees to use Facebook on corporate laptops (because they were already finding ways of doing so), the CFO vetoed him and insisted that doing so would make the company liable for anything bad that employees did there. So instead they implemented measures to further clamp down employee internet access. “But I’m sure they’ll find their way back to Facebook,” he amusingly concluded.
Policy can’t be a shackle. Compliance standards are by their very nature at least a generation behind modern technology. We can’t predict what users will need in order to do their jobs tomorrow, so we shouldn’t force them to work in a whitelisted box – doing so is pretending to know what’s actually happening . No enforcement can be tough enough to stop the tide of ingenuity. Not whitelisting, not remote wipe, not MDM, not DLP, not VDI. People want to go up to their floor on Shabbat, and they don’t want to take the stairs.
Malware developers target whitelisted applications and workflows, so they’ll get hacked anyway. Enforcing policy compliance while putting the proverbial blinders on to anything that happens on employee owned devices at best yields plausible deniability come audit time. But for those seeking to protect, what happens outside IT’s purview should be perceived as the biggest threat.
The challenge, then, is to develop a security policy around enablement, not the other way around.