The consumerisation of IT has become a fashionable catch phrase over the past few years as some companies choose to give employees the option to decide what hardware and software they use at work. Schemes have been set up, such as Bring Your Own PC (BYOPC), where virtualization technologies are deployed that allow users to run a managed corporate desktop from their own device with the aim of reducing costs.
While these programmes may benefit tech-orientated employees in large companies like Google, for most organizations, passing responsibility for IT purchasing decisions to users, which in turn determines business policy, isn’t likely to be the best way forward.
When friends or colleagues ask for advice about purchasing a new notebook, what criteria do they usually give as a priority? Looks, style and other desirable ‘must-haves’ often outweigh technical considerations, such as whether the device has the necessary capabilities to run line-of-business software, if it can be supported by IT or whether the build quality is likely to make it durable enough for business travel.
Similar factors often come into play when users make decisions about what software to install on their work devices, with little understanding of the complex problems that may arise if software is downloaded from untrusted sources, left unpatched or causes a conflict with a line-of-business application.
Consider the current malware situation on Windows. Most infections result from poor decisions taken by users on what constitutes a genuine security update, an application that’s trusted and required for business purposes or being duped into clicking links that redirect to sites with drive-by downloads.
Now, with changes to the security model in Vista and Windows 7 that make the OS easier to use without administrative privileges, and with some help from third-party utilities such as Avecto, IT departments can ensure that only qualified technical personnel are able to make changes to core system configuration. Standard user accounts reduce the number of security incidents, malware infections, calls to the helpdesk and the frequency at which operating systems have to be reinstalled.
While also limiting flexibility from users’ perspectives, the advantages of least privilege security can often be justified by lower total cost of ownership and the necessity to comply with regulatory codes. If required, flexibility can be handed back to users by deploying applications stores (app stores) and virtual machines (VMs), taking much of the risk out of installing software by protecting key system configuration.
Most users don’t know what’s best for the business, and neither should they be expected to. Complex security decisions or determining the best solutions for business problems must be taken in consultation with all the stakeholders. In the past, IT often dictated what devices and software would be supported, but this should always be a two-way process, involving users and conducted with a thorough understanding of business needs.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.