I don't really agree with the writer on this. I think it sounds good in theory, to transfer the problem to the "education" of the user. But that's assuming that all computer users know and understand all the things that can cause problems on a network. There's a few flaws in their reasoning.
First and foremost, most end-users are just that, users. They really don't know or care to know all the dangers of being on the internet. That's what they pay people like me to do, that is, to implement and enforce measures to allow businesses to include government agencies to go about their daily business. It's all about the bottom line. To a business, profit is the driving force. And they pay specialized people to make sure their enterprise is safe. I can tell you that to allow uninhibited use of the internet with no filtering would be disastrous. Hello!! Go back just a few years when the concept of computer and network security was non-existent. Users could go anywhere, download and install anything. They had root access to their boxes. It was pandemonium. It's much easier to stop a threat at a firewall, proxy server, or gateway, then to have it spread to thousands of workstations, servers, and other hosts in an enterprise. The author obviously lacks any formal computer or network security education, such as CISSP or even Security+.
The second reason is that employees are getting paid to do a job, not surf the web. That is unless it is their job or part of their job. Without rules or restrictions, employees will see it as a free ride, and an excuse not to get their work done. The author called this idea a "red herring". What???? Can someone explain that one?
The third reason goes into the legal and ethical issue. Do you want to allow users on a corporate network to gamble? To go to porn or sexually oriented sites? Hacking sites (and I don't mean ethical hacking)? To use their internet connection at work for any and all imaginable personal uses? Imagine how the taxpayers would react if users were permitted to do all that on government assets?
The author says "Employees are spending more time trying to find ways around the firewalls than working. If they had access to the sites they wanted to see, they'd go there and get back to work sooner." I got news for this gentleman, you do that where I work and they will toss you out on your ear. We all know the government and military enterprises are tightly locked down. Any attempt to circumvent security measures is considered malicious and or seditious behavior, and you will be shown the door and maybe criminal charges. You better hope you can get used to that irritating beep at McDonalds when the fries are done, because at that point you need a new career. In fact, many corporate networks are even tighter than government, sometimes they have NO internet access, just intranet. And their tolerenace is limited.
Lastly, the author has no concept of security, of any kind. He does not understand the role of the IT staff. Here's a quote:
"Companies don't need to limit the amount of access employees have to the Web -- they need to learn how to more effectively deal with the threats."
What the author is either forgetting (by now I thing he just doesn't know) that in many cases, the ONLY way to prevent a threat is to NOT GO THERE. That might be hard to swallow, but it's true.
"And that's the biggest issue with the enterprise blocking Websites. It might make sense at first glance, but if we take a rational look at things, it's actually clear that it's quite the opposite -- firewalls cause more headaches."
I will openly admit that making life easier for us IT people is NOT the first consideration of any implementation. Sometimes it's not a consideration at all. Sometimes it is a delightful benefit when it does make life easier. In any case, security is integrated into everything we do. It may be a headache, but it's our job. Those headaches are the challenges that drive us to be better, and to make our respective enterprise better.
The bottom-line is encouraging though. Companies nor government will ever relinquish that much control of their network resources to the employees. Even the recent U.S. Army decision to allow it's users access to social web sites, is not a major thing like is proposed in this article.
Shon Harris would have a field day with the author.
Why Enterprises Shouldn't Limit Web Traffic
Posted using ShareThis
Original Source: http://www.eweek.com/c/a/Security/Why-Enterprises-Shouldnt-Limit-Web-Traffic-376995/
Mamas Best Recipes
The Cartouche - Science Fiction Reviews
Add to Technorati Favorites