Web Security

Last time I discussed reasons why you would want to protect your network with some form of access restriction to web services via the internet.
This time I am looking at the first of the available solutions.
Some of the detail here is in fact applicable to any solution.

Trust Approach
I have a lot of colleagues and friends who are very much in favour of an open approach to web access, the topic today.

The principle is to open all the web to all and, in their words, treat them as adults.
The American principle of trusting the individual and not centralising control (or if you like over legislating) is commonly applied to Internet technologies, the web being the prime target of such discussions. Free speech – Open access.
This is an approach that can have many benefits.

• Firstly, management have no policy, as such, to maintain or monitor – reduced overhead and probably putting people like me out on the dole queue.
• Secondly, users may feel that they are a responsible member of a community and get greater (job) satisfaction. By trusting them you have given their ego a boost.
• Thirdly, but related to both the above, you won’t need to apply sometimes artificial differentiators to your users. Why had Bill got access but not Bob? You may create disharmony amongst users if some have greater access.
  

Even within an environment where most users are behind some sort of restrictive policy, it is possible some individuals will request/require full web access.
Everyone who has such access should be made aware of the expectations placed on them and their responsibilities. The Duty of Care does not end simply because you tell someone anything goes. You need to consider that you still have legal liabilities relating to what is accessed across your network.

This approach best works within older families (older teenagers) where personal responsibility Is something you actively want to teach the younger generation.

However, corporations probably cannot take the risk. They must not only weigh up if the site is appropriate but whether business data is going to be exposed. Perhaps even customer data. That is a level of exposure that can bring a company to it’s knees.
The Web is in these cases can actually act as a two way gateway as the site may be compromised or even malevolent and try to obtain data actively from the client system.

Another corporate consideration is available resources. Seemingly innocuous web access can have dramatic, devastating consequences on available network bandwidth.
The obvious example relates to the streaming media mentioned in the previous article. BBC Radio may not be something that causes any security risk or necessarily any productivity issue but it reduces the rest of the businesses capacity to do work. Take into account a major event (like a Royal Wedding, Olympics, World Cup etc.) and the number if users accessing these services dramatically increases. Large corporations have been disrupted for hours by internal users in such circumstances.

As you might guess I am not a fan of open access policies, even with properly defined guidelines in what such access can/should be used for.
The user is not stupid but he is also not an IT geek; mistakes are made. Users simply don’t realise the effects of listening to Internet Radio, as an example.
I have had instances of users reporting issues with slow access to business systems whilst they themselves have been watching streaming TV news.

A user’s personal productivity can be dramatically affected: it is simply too easy to lose a large proportion of your time as you answer that last Facebook message, watch the kitten on YouTube, update your personal website, follow Mr S. Fry on Twitter, get the weekends cricket/rugby/tennis/punching/soccer results.

If you want to take this approach you must ensure that you have the users’ responsibilities clearly defined. You may need to educate them to the effects of actions like the above. You should perhaps have a mechanism for monitoring access or for applying emergency restriction policies to protect precious resources/processes.

Businesses may wish to consider the following:

• Define a Web Access Policy
  

  • Include the users responsibility to use this resource only as pertains to their job function (fluffy and hard to define)
  • To consider the appropriateness of content
  • To consider colleagues sensibilities
  • To not disrupt business process
  • To consider the legality of any content
• Define a Web Monitoring Policy
  

  • Ensure users are aware that all Internet access is logged and actively monitored
  • Ensure whom may access logs is clearly defined
  • Ensure users can be identified uniquely (much harder than you may think)
  • ensure you have a process to examine the effectiveness of your open policy
  • importantly, ensure that you have a product that protects against web virus and other malware.
• What emergency measures are available to you
  

  • Can you block access to the web if it is inhibiting business process
  • Can you section off a part of the company, prevent them from accessing the web
  • Can you trace a problem to the individual
    

Within the family it is probably much more difficult to monitor what an individual is up to. However many Home Security Software packages have the ability to review what has been accessed. This is not my personal area of expertise so I will try to get some references for suitable family monitoring systems. Many Home Routers themselves contain logs and even blocking firewalls.

Next time I will be concentrating more on the kind of system available to Corporation and businesses that prefer to have an element of access prevention.

– Posted using BlogPress from my iPhone