Stop saying no, or face the law of unintended consequences

Credit: Pricey via Flickr

Saying no doesn't solve problems and it often makes new ones. That's true inside business and out on the wider Internet.

Take the correlation between Internet censorship and spam.

The servers that bring you spam and phishing emails and malware-driven attacks aren't always located where you expect them to be -- and the location is far from random, according to research by Giovane Moreira Moura into what he calls Internet Bad Neighborhoods.

Moreira Moura was trying to find out whether Internet crime is like the real world, where we're happy to label an area with a high crime rate a "bad neighborhood." His analysis suggests that yes, there are some ISPs, cities, and countries where servers are more likely to be behaving badly.

But unlike real-world bad neighborhoods, you can't spot Internet danger spots by the look of the streets. Phishing sites turn out to mostly be located in the US: the top four are Dallas, Chicago, Provo and Houston. That's because they're home to large data centers and cloud providers where the fake phishing sites can be hosted -- because phishers care about uptime as much as legitimate businesses do. Orlando, Atlanta, and San Francisco also make the list, along with Moscow and Bangkok. 

Credit: Giovane Moreira Moura, "Internet Bad Neighborhoods"
Number of spamming IP addresses by country.

Spamming hosts are found all over the world, but three quarters of all spam comes from just 20 countries, mostly in Asia and South America; India, Vietnam and Brazil top the list. Moreira Moura looked at over 42,000 ISPs and almost half the IP addresses responsible for spam are owned by just 20 ISPs, mostly in Southern Asia. Saudi Arabia, Belarus, Kazakhstan, Vietnam and Tunisia appear unusually high on a list you might expect to be dominated by larger countries like Russia, India, China, and Brazil (which are all in the top 20).

It's not just that administrators in those countries might be less experienced (or possibly less concerned about cutting off a paying customer for bad behavior). Moreira Moura points out that -- along with China -- those five countries all control and censor Internet access or use it for surveillance of their citizens. As well as operating the well-known 'Great Firewall of China', the Chinese government monitors all Skype calls. Saudi Arabia, Belarus, Kazakhstan and Vietnam all filter political or social content, and Tunisia only stopped doing so after the Arab Spring and the removal of President Ben Ali in 2011.

The problem is, if you're filtering what information people can see and limiting what websites they can visit, you're also encouraging them to access open proxies, to visit unofficial websites, and to install tools they think will get them what they want. That makes them far more likely to install malware or infected software, making them part of a botnet, and they're more likely to end up at a malicious website along the way.

A similar lesson can be applied to IT: The more you say no, the less secure you actually are.

If you don't let employees access email on their own devices, or you give them such a small mailbox quota that they have to archive or delete emails, they'll just forward messages to Gmail or save them as unmanageable, unsecurable PST files on their computers so they can read them. And if you're blocking Gmail in your organization, your employees will be searching Google to find lists of open proxies that might let them get their email -- and might just compromise your network. 

You can think of it as the law of unintended consequences -- and while making things more secure is a common culprit, trying to save money can be part of the problem. IT departments lamenting the arrival of consumer cloud storage in their business have only themselves to blame.

For instance, how much does a bigger hard drive for the mail server cost compared to implementing Data Leak Prevention and content scanning on your firewall? Considerably less, but many companies still have 2Mb or 5Mb limits on email messages. That means if you want to send an attachment to a partner or a customer or get a large file from them, you can't do it on the email system that the company can track and secure. So you go and do it on a cloud service like YouSendIt or Dropbox. And once you've got used to putting files on cloud services (and never taking them off once you've shared them), you won't go back to using an official system like email or SharePoint without significant pressure from the company. You're probably also still copying the most important files onto USB sticks that can fall out of your pocket on the train home, just in case you can't get online to get your cloud files -- or you're syncing them onto your home PC (and turning off anti-virus software that slows it down). Suddenly, more storage on the mail server sounds like a great idea.

Although it's certainly showing its age now, BlackBerry 7 wasn't that far out of date when it came out; it had a good browser, Facebook integration, BBM chat for staying in touch -- and lots of IT departments turned all that off in the name of security. Ironically, turning the unusually secure BlackBerry into just an email phone drove people to prefer smartphones that the company can't lock down. For a long time, iPhones couldn't encrypt email but told Exchange servers they complied with the policy to encrypt messages -- and good luck getting Android to be anywhere near as secure as BlackBerry out of the box, even if you can persuade users to let you manage their phone. Yes, you should be taking an information-centric approach to security, but you don't get to set the pace because you're already leaking information.

Why are iPads so popular for doing work when they don't have familiar applications like Microsoft Office or even keyboards built in? It's not just because they're thin, light, stylish and fun to use. It's because they circumvent many of the security systems that bog down those clunky three-year-old laptops your company is still handing out (complete with slow hard drives rather than fast SSDs). If the logon script for my notebook takes five minutes to run because you're locking down features on my desktop and in Office using GPOs, of course I'd rather turn on an iPad instantly. Using an app like Citrix Receiver on an iPad to access the same information you can get on your company laptop can be dramatically faster; not because iOS is faster than Windows or because Citrix wrote a better app for iPad than for Windows, but because security policy makes it much slower to do my job on the notebook you're managing into the ground.

Being joined to a domain and having an encrypted drive add only a small performance hit in most cases, but when you add in all the different firewalls, proxy infrastructure, authentication, security software, logon scripts and group policy, a "well managed" PC can be two or three times slower to boot than a home PC with the same hardware. No wonder people would rather bring their own.

None of these genies are going back in the bottle.

But what are you doing today that's going to turn around and bite you in a year's time? Are you saying that people can't use Yammer or Salesforce Chatter because you don't want business information on a multi-tenant cloud service you don't control? Unless you've got a really friendly, easy to use alternative in place -- the social feed in SharePoint 2013 without any of the features turned off, say -- then all you're doing is pushing them to free, unmanageable services like Twitter, Facebook, and Google+ Hangouts. If you're lucky, the business team will just go ahead and use Yammer or Salesforce anyway, on their own budget.

Instead of saying no and ending up with the unintended consequences of that further down the line, IT needs to find out what it is that business users actually need to achieve, do the risk analysis, and come up with any easy way for them to get the job done.

Free Insider Download: CITE presentations now available
Join the discussion
Be the first to comment on this article. Our Commenting Policies