In the previous article, we discussed the consumerized model of IT. Now let’s have a look at a locked down model, and some guidelines that will help maintain sanity both for the IT group and the user community at large.
Why Lock Down?
After considering the consumerized model, one might think that it sounds so progressive & cost effective that no one should bother locking down computers any more. Well, no solution is one-size-fits-all. If there is an existing user community accustomed to a certain level of support and management, or if there are legal requirements to satisfy, we can’t simply board up the help desk and redirect the support line to the nearest Genius Bar.
By far, I see legal requirements as the most common and important reason to maintain a locked-down environment. Legislation such as SOX & HIPAA, and standards such as PCI all place limits on how certain computer systems are allowed to operate.
In some organizations, it may be important to remove distractions and potential wrong turns in workflows. There are still plenty of computer illiterate people in the workforce. If these folks dominate an organization, it may be wise to limit the damage they can do through a series of electronically-enforced policies and restrictions.
When implementing a locked-down model, I believe in one cardinal rule: In a locked-down environment no user outside the IT team should have administrative privileges.
If this rule is broken, the environment is no longer locked down. Administrative privileges are the keys to the proverbial kingdom. A user with administrative privileges can change or remove any or all enforced settings, add or remove software as they see fit, and disable reporting to any inventory or compliance systems. In short, IT cannot maintain any sort of Support Level Agreements or ensure compliance if the users have administrative privileges.
Even within the IT team, administrative privileges should be used only when necessary, meaning that IT staffers should be using non-admin accounts to do their routine work but have the means to elevate their access when needed and within carefully considered limits to balance security, accountability and efficiency. An IT team that operates with administrative rights will usually have no idea of the issues faced by the typical non-admin user. In addition, IT staffers are people too, and as such are prone to mistakes and bad judgement just like the rest of us. Detailed and strict processes help to mitigate human error.
IT departments often face political pressure or directives from superiors to make exceptions to a “no-admins” policy. If you find yourself in this position, I recommend preparing a cost-benefit analysis for your superior(s). This report should include things like data loss, lost productivity, support costs, and the costs of lost opportunities. I have always felt that it is part of the job of an IT staff to let management and the business know when they’re trying to do something detrimental. It is more desirable and generally less costly to prevent problems than fix them after the fact. When an employer asks for something dumb, it’s a good idea to tell them it’s dumb and why it’s dumb in a quantifiable (and tactful) fashion. If they still insist on the dumb thing, they can’t blame you for not doing your due diligence and informing them of the pitfalls.
When Not To Lock Down: Social Issues
Technology is often called upon to solve social issues. I see this as a waste of time and resources as well as an unnecessary restriction of user capabilities. Rather than limit everyone for fear that someone may misbehave, I feel it is much more productive to only punish the miscreant if misbehavior occurs. There are many reasons to lock down computers and their functions, but in this sysadmin’s opinion, solving social issues should never be one of them.
Another Mac sysadmin once said “you can’t teach a backpack not to carry a Playboy” in response to a request to ensure that “naughty pictures” couldn’t appear on a school’s computers. If little Bobby is caught with a Playboy in his backpack, it is confiscated, he’s sent to the principal’s office and Bobby is given the prescribed punishment, all because Bobby has misbehaved. If however, Bobby accesses similar material in a computer lab, the IT staff ends up taking much of the blame because it happened on a computer, even though it’s still Bobby that misbehaved. Misbehavior is still misbehavior whether it involves a computer or not. If little Bobby is looking at naughty pictures in school, that is a disciplinary issue to dealt with accordingly. Similarly, if Sally in accounting is playing solitaire all day and not doing her work, then Sally’s boss needs to have a chat with her and/or start looking for a new Sally. Technology is a moving target and users, especially children, are very resourceful and have nothing but time on their hands. An IT staff that tries to manage social issues with technology will find themselves fighting a battle that is impossible to win.
Only Lock What Is Necessary
Heavy handed restrictions are the most likely to be circumvented. I have been to offices where end users have very expensive company-supplied computers on their desks but never use them because they find the draconian restrictions imposed by an overzealous IT staff make the systems unusable. These employees end up bringing their own laptops to work, thus creating a de-facto Bring-Your-Own model that the IT group has absolutely no control over, and often no knowledge of.
Each restriction that is not legally or contractually mandated should be carefully examined to determine if it is actually necessary. What risks are being mitigated, and what are the potential impacts on user productivity? Does the potential risk outweigh lost productivity and/or user dissatisfaction? Unless the answer to that last question is yes, the restriction shouldn’t be implemented.
I hope these ideas will help make your restrictions more sensible and useful.