Locking Down on Loosening Up: What Are You Doing?
by Dan Lohrmann, Lohrmann on GovSpace
Fri, 2008-04-25 17:51
Topic(s):

The conventional security wisdom is to lock down your endpoints in order to enforce security policy. That approach was thrown out at Google, according to Douglas Merrill, Google Inc.'s Chief Information Officer (CIO).  Is this a trend? Should we all be adjusting our strategies?

The interview that I'm referring to was published online by the Wall Street Journal.  Here's a quote from Mr. Merrill:

"We're a decentralized technology organization, in that almost everyone at Google is some type of technologist. At most organizations, technology is done by one organization, and is very locked-down and very standardized. You don't have the freedom to do anything. Google's model is choice. We let employees choose from a bunch of different machines and different operating systems, and [my support group] supports all of them. It's a little bit less cost-efficient -- but on the other hand, I get slightly more productivity from my [Google's] employees."

So should we all be offering "choice?"  I certainly believe that our customers who read this WSJ interview think so. And yet, there are many articles calling for us to lock things down much further.  A Google search for the phrase "lock down the desktop" yields 1.1 million results.  The top result actually comes from Microsoft.

Numerous articles are available on anomaly detection software and the need to have strict policies to stop bad things from happening to our customers. Don't we need to disable USB drives, enable screen savers and ensure security patches are applied, etc?

That is certainly the direction that we are moving in Michigan, but it appears that Google believes (and is telling us) that the "traditional security model didn't really work."  

So what about the rest of us? I know Google is very tech savvy, and I know that they are different in many ways. Yet, we tell our smartest staff that they also have to "eat our own dog food."  Bottom line, our policies are largely the same for all employees.

I'll write more in the future on where I think the Google model could lead for large organizations, but first, I'd like to know your thoughts. Will this apporach work, and more importantly, what is your org doing? I certainly know that this apporach is popular with end users.  

  

» read more from Dan Lohrmann | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper