Platt Perspective on Business and Technology

Understanding the tradeoffs in selecting technology to deploy in an IT system – 2

Posted in strategy and planning by Timothy Platt on August 3, 2011

This is my second posting in a short series on understanding the tradeoffs in technology deployment decisions, and on building best practices for making those decisions (see Part 1.) The primary take-home lesson of Part 1 was:

• Technology is always changing, and rapidly and that so are the ways that people use it. And that includes rapid and ongoing evolution of the way that people in the real world use technology in unexpected ways, unanticipated by its designers, builders or providers.
• And any effective approach to technology review and analysis, and to selection and incorporation of new technology into information technology (IT) systems has to be flexible in the ongoing need to accommodate New and Unexpected and from all directions.

For IT systems in particular, a significant side to this New and Unexpected comes from the way the boundaries are blurring between in-house and business owned and managed, and outside and employee or unknown third party owned. That can and does mean business owned handhelds and other wireless-connected portable devices that are brought home by employees as they stay connected and available, and it just as fully includes employee-owned devices that are brought to work and that can be used in a work context – and for “unknown third party owned” just consider the local coffee shop with its free, open Wi-Fi that people connect and go online through, and usually without a thought as to whether they are using their own device, a business-owned device or a device that could be considered somewhat both.

I pick up on this discussion at that point as I start this series installment, and my goal here is to discuss these issues in terms of the specific decision making context of handhelds such as tablet computers and smartphones. And this is a story about downloadable and server-side apps and their functionality as considered in a due diligence framework. I begin that by asking a seemingly simple question.

• Handhelds and other portable devices gain value when they can be used to manage wider ranges of tasks and with greater ease, and it can be argued that increasing the range and variety of apps that a device can carry and use increases its flexibility and functionality – and value. At the same time, simply opening the door to inclusion of apps per se into an IT system would expose that organization’s information systems and their contents to very real and significant risks. How should an IT department set and enforce policy as to what types of app are approved and vetted and how should it manage the due diligence and inclusion process for this?

I say seemingly simple here because as posited, this sounds like a basic due diligence and risk remediation question of the type that IT departments and their risk remediation and information security teams have been dealing with since the dawn of modern IT departments per se. But that can leave you thinking strictly in terms of in-house managed systems and without consideration of the full impact of the way the boundaries blur.

As a chief information officer (CIO) you might be able to select the brands and models of tablets and smartphones that will formally be included in your organization’s hardware inventory. You undoubtedly will do that, and with an eye to managing what apps are uploaded to them, and where they can and do come from. You will probably have user policies in place regarding apps and app approvals, and internal firewalls set up as back-ups to that for when real world device user-employees just have to download that game, or that specialty search app anyway – and it may be carrying something extra hidden in it. And even for that, you face a complex set of constantly changing challenges.

Let’s say, by way of example, that an employee with password based access permissions into sensitive file folders on one of your servers, downloads a traffic update app with a keystroke logger package hidden in it that would be used to sniff out and report passwords to hackers. The hacker who sets this up may try using login information so gained themselves or they might bundle it in with other password access information and sell it on the open and active underground market for clandestine business information access and identity theft resources. Now your challenge is to distinguish between legitimate remote logins and hacker logins attempted using the same passwords.

I am not going to delve here into the issues of password shelf-life and how and when to update them by set policy, or management of allowed access request IP addresses that are accepted as legitimate, with response protocols when an otherwise legitimate appearing login request comes from an unrecognized IP address. I will simply note that these and a wide range of other approaches and considerations go into developing a security in depth system for managing permissions and access to sensitive information systems. Instead, I step outside of the in-house systems perspective to look at the basic underlying issues here from a wider perspective.

As CIO you can and undoubtedly will select which handhelds to include in your formally defined and maintained in-house systems with the online app stores in mind, and with free, crowd sourced apps in mind too that can be found and downloaded from a myriad and growing range of sites, social media profiles, etc. You may very well decide against one device and for another because you see that one as offering greater control as to what ends up on the handhelds that your employees will use on the job and try logging onto your servers from. But how does this address the situation where employees try logging in from their own computers or handhelds? Do you have your technicians add software protection dongles to your approved in-house owned devices that have to be in place and properly configured in order to access resources that your business offers that are not public facing? Then a visitor could access and view your public-facing web site or social media presence from anywhere, but they could only log into a secure area from a devise that has been set up by a member of your staff. And if this is all you do, you set your information security up to fail. Any and every specific approach to managing access and security can and will fail, or simply become irrelevant with time, and probably fairly quickly.

• Think, plan and execute in terms of open systems where the boundaries between in-house and outside are arbitrary and open to debate.
• Accept the fact that your employees will find ways around any given technology fix that you might put in place to address this.
• So you have to keep evolving your systems at least as quickly as your users do in finding new ways to use them – or bypass them.

You can find this and related postings at Business Strategy and Operations.

Tagged with:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: