Wednesday, July 19, 2006

Security vs. Usability - A Good Fight

Oh boy, a good old slugging match, and from two writers for the same magazine, no less. Bob Lewis writes on Information Security, Off the Deep End in response to Roger Grimes' Unauthorized Applications (still) a bad idea.

I find myself in agreement with both points of view. I have great sympathy for Roger's (as well as most IT managers') dilemma in trying to keep the place secure in the face of increasing pressures. At the same time, though, Bob correctly observes that people do unsecure things because they are trying to do their jobs.

So how do I reconcile the two? Actually, I think Bob has most of it right, as he observes that a good IT department will be listening to its users and have appropriate tools in place. If someone wants to work from home and get data from the office there should be some type of VPN connection and either access to files or Citrix in place to make that possible in a secure manner. Need a laptop because you need the applications as well and either don't have the bandwidth or some other restriction? That should be thought out and machines should be available as well.

Where Roger is correct, however, is that user's shouldn't be allowed to use applications that haven't been through the acceptance process. The word "process" isn't meant to imply some long, drawn-out affair. It is meant to see that IT supports only the number of applications it really needs to, and that it has a decent handle on the security implications of those it supports. Otherwise, you could easily have half a dozen (or more) IM solutions running around, with significant support and security implications. As Bob says, implement a secure corporate-wide IM solution.

Security needs are valid, and with the ever-increasing number of security violations that are in the news, no organization can afford to ignore them. What the IT department needs to do, in conjunction (hopefully) with top management, is strike an effective balance between the security needs and efficiency / productivity needs of its internal customers. This implies, of course, an IT department that is "on the ball" and listens to what its users need to be effective. Easier said than done, of course, but after all, IT is (typically) in the internal customer service business. If you're not delivering what users need and what the organization needs, why are you around?

posted by Craig @ 1:47 PM

Wednesday, July 12, 2006

Net Neutrality

The recent issue of InfoWorld (July 10, 2006) features net neutrality on its cover, and in a series of articles. One, "Battle Lines Drawn Over Net Neutrality" sums up the issue and the players.

I've been sitting out during this debate for some time. At first, I did so because I wasn't sure I really understood the issue. Shortly after, once I figured that out, I stayed put as I believe there is merit in both sides. After due consideration, however, I've decided to finally cast my vote - which is, that we don't need rules for net neutrality. At least, we don't need them today.

I believe the fears of the players like Amazon and Google have possible future validity, but they aren't true today. And, as we all know, legislators can't really dictate a desired result. All they can do is either punish "bad," or undesired behavior and reward "good," or desired behavior. And with all the competing interests at play, the process is at best cumbersome, with little finesse, and at worst disastrous. Given the money and lobbyists at work on this issue, and you have a recipe for rules that none of the companies involved nor the public would find palatable.

And so, I think it is best to let events transpire uninhibited by legislation. If truly destructive behavior does begin to appear, then Congress can address it and do so in a more surgical manner. At the same time, we unleash the market to do what it does best, which is innovate.

If the telcos and cable operators want to offer higher speed, specialized offerings that command premium pricing, let them do so. Will there be the opportunity to indulge in some "channeling" that allows for favortism? Absolutely. Will the owners of the pipes indulge in that behavior? Most likely. However, I'm not yet convinced that is automatically a bad thing, which is the argument raised by Google, Amazon, and others.

In the meantime, the best thing for those really worried about what might happen is to concentrate on making your web presence, whatever that might be, as compelling as possible for your target audience. That stands a better chance of keeping you intact and growing as innovation roils the Internet than any other action.

posted by Craig @ 1:56 PM