Security vs. Needs: the Great IT Divide
"scottygu3" made a comment in that discussion that is interesting: "IT goals are incompatible with user goals. It is a continuing give and take battle between the two." It is interesting to me in part because I disagree with it, but more because I think it demonstrates a perception problem we in IT have with regard to security. (Now, I must admit that the perception has arisen because so many IT guys have the same opinion. They don't call themselves "sysgods" for nothing. While I think the statement is inaccurate, scottygu3 is dead on in stating it.)
Rather than seeing the goal of securing the box and the network (the two are inseparable) as "IT" goals and as at odds with the users' needs for using the machine, a proper IT perspective is that we need to accommodate security and usability both while the negative impact of either on the other. If our goal in IT isn't to make the system serve the needs of the user, then we don't understand the field. The converse is true too, however. If the user doesn't understand that part of serving them is making and keeping the systems secure, either from maliciousness or simple misadventure (or foolishness) on their part, then they don't understand it either. Our job is to manage the interface between these disharmonious needs.
Inevitably, circumstances will arise where one or the other need gets short shrift. At Vermont Academy, many students feel it is their "right" to install anything they want on their computers. Now, I agree that everyone who owns a computer has the right to do with it what he will. Just don't connect the damn thing to my network if you do, OK? (There's that sysgod attitude...) Because they do need and want to connect the Tablets to our network, I feel justified in putting "right" in quotes above. By dint of connecting to a shared resource, where their actions will inevitably have impact on every other user, their rights are to some extent abrogated--of necessity. There's the real rub. (Unless, of course, you disagree with this premise that connecting to a shared resource implies collective responsibility and risk which must be managed.)
We are at an uncomfortable spot right now in our seeking for a balance point. Our history is that we owned all the machines and therefore had full control of what was on them. Our security model and policies were developed in this rarified atmosphere. When we opened the network to student-owned machines, we didn't have everything in a state where we could comfortably give them the ability to install whatever they wanted while still keeping things secure. I am not sure such a state actually exists. (See Microsoft's 10 Immutable Laws of Security. Change "computer" to "network" and you have a glimpse of the reality of a network manager.) This year, students do not have access to the administrator account on their machines. (I can hear the gasps and screams from here.) That is the real issue Rick raised in his comment.
This causes no end of problems for students with legitimate need to install something, such as a printer driver. (Why Microsoft doesn't allow this function to be assigned to a non-administrative user is totally beyond me, but they don't.) Our solution for this year is to take the time to install what the students need or want for them. So far, beyond printers, all we have installed is iTunes and games. So much for educational needs.
From a security perspective, this policy has worked. It certainly doesn't mean less work for IT, but rather more as we have to install a lot of games. In my tenure here, we have never had a significant virus infection or, to my knowledge, security breach of any kind. We certainly have had students who have tried to install keyboard loggers and other mal-ware, but our policies cramped their style adequately.
The reality is, though, that this needs to change, and for reasons Rick and Scott raised. We are still working on the policy going forward, but our goal is going to be to find that delicate balance point that serves both usability and security. You haven't heard the last of this issue...