Security

Productivity vs. Security: Building a Win-Win Strategy

Print
Check out this page on Dell.com! Email
Rate
1 out of 5
2 out of 5
3 out of 5
4 out of 5
5 out of 5

By: Aaron Weiss (2/9/2011)

If "Productivity" and "Security" were two superheroes, each would be critical to conquering the villains of Planet IT, but the two of them could never ride in the same flying car. To put it another way: They don't play well together. When Security is around, Productivity disappears. And when Productivity shows up on the scene, Security has to take a coffee break. At least, that's the challenge IT often faces in crafting technology deployments and policies. The only fully secure computer is one that is powered off, which of course is also the least productive computer. In many organizations, each superhero has its allies. Workers tend to relate to Productivity, because they need its help to get their jobs done. But IT prefers to back Security, seeing it as critical to maintaining a healthy network. Both groups are right, so any workable solution requires finding a balance. Too many years ago, when I lived in a university dorm, there was a fire exit door that when shut, was locked to prevent unauthorized people from entering. The problem was that this door was also much more convenient to many rooms than the formal front entrance. Solution: Students simply kept the door propped open with a brick. But in acting on behalf of convenience, they eliminated any form of security that the door provided. The tempting mistake for IT department is to secure resources like a fire exit door. When workers make an end-run around security, that means IT policy is broken. To build a win-win strategy, an organization must first inventory the real IT needs that workers have. Do they need unrestricted Web access? Do they need to have access to FTP or other file sharing resources? Will they want remote access to their personal data from remote locations? Every one of these things can be supported with intelligent security measures rather than simply banned, which will just encourage workers to find alternative, even less secure means of achieving their goals. To take one real-world example, some organizations disallow users from installing software on their workstations. They do this by removing local administrator rights from the desktop. But invariably, an employee may need to install a piece of software to get his job done. The easy way out is to wait for employees to send a request to IT, but this is a clunky solution. Not only does it burden IT and add to an already long task queue, but it slows down productivity while the employee waits for IT to act. Instead, the worker may come up with a potentially dangerous workaround — bringing in the application on a USB drive. Some applications can be launched directly from a USB stick, but this drive may also contain malware or spyware that the worker could inadvertently introduce into the workplace. A better and safer solution is to employ desktop virtualization. There are two ways to approach this. One would be for IT to deploy a canned virtual desktop with whatever IT-supported applications need to be available. This way, the user can install applications on his native machine without potential interference with business apps. IT policy would only support approved applications precanned inside the virtual machine environment. Alternatively, you could deploy the reverse scenario, where employees are given a virtual desktop environment for installing their own applications, with the IT-approved apps installed on the native OS. This way, the employee basically uses the virtual machine environment as his own personal sandbox, which poses no security threat to the data in the primary OS. While setting up a virtual desktop environment may take up-front work for IT, in the long run it strikes a balance between maintaining security while not hampering productivity. Of course, this is just one example that may not be applicable to every organization. The key is that there is no one-size-fits-all security policy. Determine what resources employees really need and how they use them, and work with — rather than against — their needs to craft security measures that won't provoke mutiny. For more information, see: Five Best Practices for Securing End-User Data Desktop Virtualization Tries to Find Its Place in the Enterprise Is Telework Part of Your Business Continuity Strategy?

If "Productivity" and "Security" were two superheroes, each would be critical to conquering the villains of Planet IT, but the two of them could never ride in the same flying car. To put it another way: They don't play well together. When Security is around, Productivity disappears. And when Productivity shows up on the scene, Security has to take a coffee break.

At least, that's the challenge IT often faces in crafting technology deployments and policies. The only fully secure computer is one that is powered off, which of course is also the least productive computer. In many organizations, each superhero has its allies. Workers tend to relate to Productivity, because they need its help to get their jobs done. But IT prefers to back Security, seeing it as critical to maintaining a healthy network. Both groups are right, so any workable solution requires finding a balance.

Too many years ago, when I lived in a university dorm, there was a fire exit door that when shut, was locked to prevent unauthorized people from entering. The problem was that this door was also much more convenient to many rooms than the formal front entrance. Solution: Students simply kept the door propped open with a brick. But in acting on behalf of convenience, they eliminated any form of security that the door provided. The tempting mistake for IT department is to secure resources like a fire exit door.

When workers make an end-run around security, that means IT policy is broken. To build a win-win strategy, an organization must first inventory the real IT needs that workers have. Do they need unrestricted Web access? Do they need to have access to FTP or other file sharing resources? Will they want remote access to their personal data from remote locations? Every one of these things can be supported with intelligent security measures rather than simply banned, which will just encourage workers to find alternative, even less secure means of achieving their goals.

To take one real-world example, some organizations disallow users from installing software on their workstations. They do this by removing local administrator rights from the desktop. But invariably, an employee may need to install a piece of software to get his job done. The easy way out is to wait for employees to send a request to IT, but this is a clunky solution. Not only does it burden IT and add to an already long task queue, but it slows down productivity while the employee waits for IT to act. Instead, the worker may come up with a potentially dangerous workaround — bringing in the application on a USB drive. Some applications can be launched directly from a USB stick, but this drive may also contain malware or spyware that the worker could inadvertently introduce into the workplace.

A better and safer solution is to employ desktop virtualization. There are two ways to approach this. One would be for IT to deploy a canned virtual desktop with whatever IT-supported applications need to be available. This way, the user can install applications on his native machine without potential interference with business apps. IT policy would only support approved applications precanned inside the virtual machine environment. Alternatively, you could deploy the reverse scenario, where employees are given a virtual desktop environment for installing their own applications, with the IT-approved apps installed on the native OS. This way, the employee basically uses the virtual machine environment as his own personal sandbox, which poses no security threat to the data in the primary OS.

While setting up a virtual desktop environment may take up-front work for IT, in the long run it strikes a balance between maintaining security while not hampering productivity. Of course, this is just one example that may not be applicable to every organization. The key is that there is no one-size-fits-all security policy. Determine what resources employees really need and how they use them, and work with — rather than against — their needs to craft security measures that won't provoke mutiny.

For more information, see:

Five Best Practices for Securing End-User Data

Desktop Virtualization Tries to Find Its Place in the Enterprise

Is Telework Part of Your Business Continuity Strategy?