mtg followup
Bill Ward
bill at wards.net
Fri Nov 18 10:49:26 PST 2005
On 11/18/05, Alvin Oga <alvin at mail.linux-consulting.com> wrote:
> assuming our jobs, or at least say my job
> is to protect corp data, i think it
> is fairly simple to take some preventative
> steps to prevent unauthorized trade secrets
> from leaking out to the world or unknowingly receiving
> competitor's secrets
[...]
> b) i disallow dhcp .. i want to know who is using
> what ip#
>
> c) i disallow home networks from connecting into
> the local corp lan, because we do not get
> to monitor and secure the employee's home network
>
> d) i disallow wireless ... i think it's too ez to sniff the data
>
> e) i disallow laptops .. there is nothing on an individuals
> laptop that is so important to the company's survival
[...]
These ideas are certainly going to protect corporate data, but I think
it's a copout to simply disallow anything that may pose a risk. There
are legitimate business cases to be made for most of the things you
are disallowing.
- dhcp makes it trivial to get a host on the net without fuss
- home networks allow telecommuting, thus greater availability of staff
- wireless and laptops allow mobility, thus greater availability also
If you need someone to physically come in to the office to use a
machine that's been properly blessed by IT security staff, then you
will be wasting countless hours of time that could otherwise be spent
on productive work. The benefit isn't worth the cost.
Instead you need to allow these kinds of things AND provide good
security using tools like a well-configured VPN system. That's what
makes security in IT hard. Anyone can just disallow stuff. Allowing
it while providing an acceptable level of security is hard, but if it
can be done it will greatly improve productivity at an acceptable
level of risk. Security is about managing risk, not eliminating it.
--Bill.
More information about the Baylisa
mailing list