Why does locking down the desktop enhance corporate security?
The essential question is “how much leeway should office workers have to try out new technologies on company computers? For many employers, the answer is clear: none at all. Corporate IT departments already have their hands full with viruses, hackers, spyware, and data breaches, without having to worry about employees making those problems worse by adding unauthorized software or devices. Security experts warn that a company’s insiders are responsible for most security headaches, intentionally or inadvertently.”
- Tom Tabor, the CIO of Highmark states: “we recognize that employees just want to be productive…while this may be advantageous, it is also a management issue as far as maintainability, support, and potentially cost.”
“Most employees who work regularly with computers can think of dozens of ways that unauthorized technologies makes it easier to do their jobs, whether it’s Web-based email programs, for sending large files or flash memory drives for taking work files home. And it isn’t just individuals; whole departments are turning to online software providers to handle business needs without the approval, or often the knowledge, of the IT department.”
- Douglas Merrill, the CIO of Google states: “We must give up trying to control everything, and instead focus on the few places that are the most critical.”
- Tabor: “We have a formalized technology-acquisition process that allows employees to submit technologies for review by the IT organization. Through this process, employees have a say in what technologies are considered.”
- Merrill: “At Google, most employees who run Windows are set as power users, not administrators. This allows employees to install some things and change some machine settings, but not everything—basically, we try to protect our employees from themselves. [However,] If they want administrator access, they just have to ask for it…”
As for locking down the desktop, as a user, I can’t say that I love the restrictions, but as an enterprise architect and IT and business professional, I definitely see the security value to the organization, as well as the benefits to standardizing technologies, developing enterprise solutions, and building a maintainable, cost effective infrastructure.