Several years ago I successfully convinced a company with hundreds of productive employees to have everyone change their network password every 90 days, and to enforce the use of complex passwords. The network accounts controlled access to email, file and print, and indeed their very computer.
Naturally, some users were enraged. I thought that I was making the network safe, and that they were lazy and irrational. I was wrong.
### … Paved with Good Intentions ###
Now of course I was well intentioned; I wanted our network more secure. One part of my job was to assess, propose, and promulgate more and better security. After all, it would be harder for the bad guys to get to our company’s confidential data if we made the passwords harder to crack. I demonstrated this by running a network crack tool against the computers and thereby cracking somewhere between 10-20% of the enabled accounts.
### Less Security, Not More ###
But the policy resulted in a less secure network. Why?
* People could not remember the new passwords, so they wrote them down on paper, and placed them near their computers.
* People could not remember the new passwords, so they had to be reset, which meant there was an amount of time when the people could not do their work because they were waiting for an administrator to help them (not to mention that the administrator could not do other work when helping them).
### What is Security? ###
If we take a step back, we need to ask the question of security _for what_. That is, what does security mean? I have a presentation somewhere that flushes out all the meaning to the concept of access. Reliability, data integrity, access control, all of these come down to access. If security is cashed out in terms of accessibility, then we simultaneously denied access to our own resources to our own people, at the same time making those people who had a more secure password less secure by forcing them to create new and hard-to-remember passwords.
Yes, yes, I hear you say _but there are mnemonics to help with password recollection_ and I completely agree. I have taught them to many people. However, what are we really doing here?
### Intervention at the Edge ###
This approach of a monolithic policy caused havoc and a loss of productivity, while at the same time giving us a warm and fuzzy feeling of being more secure. We have an enforced policy! The lawyers were proud. A defensible position, in legal terms.
We can contrast this with another approach, which I don’t have a good name for, but let’s call it __intervention at the edge__. This is where instead of creating a policy, let’s say about firing all people who watch pornography at work, we just drop in a network sniffer and send anonymous messages through the browser that those few people having a naughty peek at work shouldn’t be doing that. Wow, behavior changes, problems averted. No HR involved, no attorneys, no careers ruined. Much less time involved, results achieved.
### Outsource Yourself ###
Those network administrators working in corporate IT departments should take as their goal their own outsourcing. That is the only way to really conceive of the changes that are going on in the industry and the appropriate response to them, professionally. This is also, paradoxically, the only way to make oneself valuable and prevent ones’ own outsourcing.
What I mean is this: consider that every action taken (policy or non-policy) will result in more work or less work in the future. Also consider that every action will result in more or less work for the non-IT people. Consider finally that every action will have an effect on access, the core concept of security.
If a course of action will take more of your time, more time of others, or give yourself or others less access to resources, it should be regarded with deep suspicion.
### Folly of the Administrator ###
I have recently heard of the ongoing folly of administrators who do such things as block access to YouTube and Gmail. Why? If employees are spending company time and network resources on non-work activities, then there is a bigger problem that should be dealt with at the level of individual performance. However, is it conceivable that these and other blocked sites might be useful to an organization? If so, then blocking them is denying access to resources. In addition, the idea of turning wasteful employees into virtuous ones through legislation is a folly that has existed for millennia. There is plenty of evidence found in the histories of Seutonious and Tacitus.
Silicon Valley is considered the most productive place on the planet. This the place where Gmail and YouTube were invented, and no less consumed to the highest degree. And yet, this contradiction of dramatic productivity and equally dramatic time-consuming activity with these seemingly irrelevant resources doesn’t give pause?
### Policies should be about the Future ###
I have had the sad task of being a part of a committee promulgating network policies for a university. The experience was one where I found myself as the lone voice crying out for us not to legislate the current ad hoc administrative practices (turning them into rules that would then require action by the Board of Regents to actually change). As the only student on the committee, it was seen as natural by university administrators that my suggestion be ignored.
Policies should help guide future actions, not past practices. Policies should be about giving more access to more resources, and not restricting access. In other words, we need to do __the exact opposite__ of what network administrators tend to do.