There has been an interesting conversation going on over the last few days. The starting point was Brian Katz' post about Herding Kangaroos, and the follow-up, Where's Waldo.

The gist of Brian's post is this:

The world is truly full of boogey men and if someone desperately wants your data there is very little you can do to stop them in most instances, you may be able to slow them down but that is probably it. The issue I have with this locking down of the enterprise is that it affects the business.

[…]

If users aren’t given the right tools, they find what they need anyway and give it to everyone else who wants/needs it long before you have a chance to put a stop to it. It becomes very difficult to play the Where’s Waldo game every day.

Everyone's Waldo

I agree, for the most part. I've been a sysadmin, and I cut my teeth adminning for a department of smart-aleck developers who all needed the root password / security exceptions / special firewall rules / extra disk quota to do their jobs, so the notion that we could have perfect security if only we didn't have to deal with all those pesky users definitely strikes a chord with me.

The problem that IT faces is much the same as the entertainment industry faces. Not only must the security measures in both cases be sufficiently inobtrusive that users don't find it easier just to circumvent them, but at some point you have to give users access to the content you're trying to protect. Just as all those FBI piracy warnings on DVDs have to (eventually) end and let you watch the film, all the encrypted location-sensitive token-based secure content lockers have to let users view the files at some point. Once users have the content, no clever technology is going to prevent someone from doing something IT doesn't want them to do.

Violations can be impressively low-tech. One ex-colleague, a sales guy, printed out his presentations, and then used the same print-out for multiple customer engagements - complete with slides under NDA, embargoed roadmap details, and confidential details on other customers he had previously used the same printout with. How does your Enterprise Solution prevent that?

Or what about users giving up their passwords for candy bars, or entering them in online "password security checkers", or clicking on the link in that e-mail pretending to come from the help desk?

In the end it's not about the device, it's about the users. Technical fixes will only get you so far. Focusing on the people who bring their iPads to work and ignoring the guy walking out the door with a sheaf of dog-eared printouts - but corporate-issued laptop and phone - might follow the letter of the infosec policy, but it's certainly missing the spirit.

Explain to people what your goal is, why it's important (to them), and make it easy for them, and most of them will go along. The ones who won't have other problems anyway.