For me Twitter has become an invaluable work tool. My twitter friends and followers deliver me a daily smorgasbord of finely filtered, timely insights with smatterings of analysis and pointers to useful perspectives that educate and inform me about security, cloud, virtualization, tech in general, the market and our society and world. It makes me vastly more productive, and I’m convinced that whether you choose twitter, FB, G+ or some other app, this model is the future of an informed workforce.
But you poor enterprise employees don’t get to experience any of this at work – unless you carry two devices (yours and theirs), and BYO network (likely on YO dollar). Why? The real reason is utterly pathetic: Tweetshrunk URLs – those bit.ly and dthin.gs and goo.gl links followed by meaningless characters that are automatically generated and arguably completely untrustworthy. For example, .ly is the top level domain for Libya. Who runs that DNS? (answer) Is it trustworthy? Is ow.ly secure? Who shrunk the URL? Who really sent the tweet? Is it twitter spam or a link to one of the attacks that show up faster than twitter can remove them?
Tweetshrunk URLs illustrate just how technically bankrupt our security infrastructure is. The only model of the web that the security industry (and even Google’s safe browsing API) can comprehend is that of a relatively static web – one in which we naively assume that web filters and “cloud security services” that scour the web to rank each URL actually have any chance of success. Hello! Did any of these guys read the memo that said that the web is a dynamic place in which sites, pages, URLs, even intra-page content are by definition constantly changing? Web pages are programs, not static blobs! Should we declare twitter inaccessible because it is too dynamic for legacy approaches to security? Try legislate that. (Oh, I forgot – you tried already. But as usual your users figured out how to get around you – probably just to stay productive, but also because the majority fear loss of privacy.)
It’s time to get rid of technically bankrupt technology that (a) doesn’t work and (b) disempowers users. Time to ditch your web proxies and filters that break the semantics of the web. Time to kick your cloud based URL scouring service to the curb, which is where it belongs. It is time to empower your users to be as productive as I am – without any risk to your data or networks. It’s time to end the era of prohibition imposed by legacy mindsets and legacy technologies.
My PC doesn’t trust much. To be specific: It is currently configured to trust only update.microsoft.com with a valid cert. (Yes, if there’s another cert-stealing Flame attack, I might go down.) I could choose not to trust Microsoft or to trust it only under very specific circumstances – for example when I am at work and specifically want to update my OS (I don’t need to panic-patch anymore).
And I spend a decent chunk of my day clicking on … stuff that would make every IT Pro cringe. For example, I just clicked on http://ow.ly/1OJICE in tweetdeck, whereupon Bromium vSentry, for each of the following untrusted steps, instantiated and then immediately discarded a micro-VM: it queried the untrusted .ly DNS and was redirected – twice; then it retrieved the full URL and finally ended up at an article on CNET. My browser responded with the full page in under a second (most of which was network delay due to redirects) and vSentry burned 3 micro-VMs. But I’m safe, and better informed.
The arguments for prohibition were that it would prevent moral decline in America. But it increased crime by forcing normally law abiding citizens to go around the law. Users want to be empowered, to be effective, to deliver value. Shadow IT is how they go around you today. The problem isn’t “stupid users”, it’s “lousy technology”. Microvirtualization enables you to end web prohibition – to sweep aside bankrupt technological assumptions from a bygone era. It lets IT get back to its core mission – making people effective and productive – without risk.
You can end prohibition today, with vSentry.