Cool versus Control (History Repeats Itself): Part 2 of 3

In our first Cool versus Control post we began to examine the evolution of technology and its impact from both a coolness perspective and also from the security point of view. In part 2 of this series we will take a stroll down memory lane as we take a brief look at the traditional corporate security approach to one of the most chaotic, unstructured, and out of control applications.

Email.  Can you imagine a company today running without it?  An outage has all of the employees in the hallways faster than an earthquake.  A minor glitch paralyzes a modern organization.  Email is a wild and wooly ball of risk, yet its value to an organization is unquestionable.

Now think back to a time when coaxial cabling was first being patched from office to office.  A mail server was an isolated machine that hosted messages for users of the network…it didn’t need a firewall to protect it, but its true usefulness as an intra-office memo platform was limited.  At least that was what it still was like for a decade after RFC 821, with the previous decade of text messages isolated to ARPANET.  Nerds like me would perhaps chat or read posts on BBS message boards via dialup measured in baud.  Some of you may not remember this era, or may not want to admit that you actually know how bad it was to drop the shoebox filled with punch cards.

The world was decidedly disconnected. It became cool and dangerous in equal parts as it became connected.  As the connection increased so did cool, and as cool increased, control struggled to slow it down.  We dusty old techies can remember the long, foot-dragging march from internal only email to AOL, ISPs, BlackBerry, VPN, Outlook Web Access, iNotes, smartphones, Cloud, bringing us all the way up to theoretical anywhere access. I might argue that companies that saw the “cool factor” benefited from keeping their employees always on, and those early adopters got a slight advantage.  Some might say that is not the case.  Email is dangerous…right?

With email, there is always the risk of exfiltration, virus infection, spear phishing, and SPAM, and sure you can protect against it 100%…if you block all legitimate email.  In other words unless you are going to shut certain services off completely then how safe can you make it without turning the user experience into a giant pain?  Let’s not forget, that targeted attacks look legit and they use custom malware with unknown definitions by design.  There is literally no way to fully protect against an email attack, yet we would not dare turn this cool service off.  We hedge it, block it, hamper the users a little bit thinking that this will actually protect against anything, but the MX record still points diligently at our servers.

Restrict the end users too much, and they will do things that are really not advisable…you know like forwarding everything to an external webmail account over HTTP.  Block forwarding certain emails via email permissions?  Users will copy and paste, make screen shots, and forward those or print out emails.  Block internal -> external access to webmail, and users will save sensitive documents onto USB sticks they can lose.  Disable USB ports, and the enterprising end user might just photograph it with their smart phone camera, or write down the details with a pen..  I have also seen plenty of rule bending workarounds from Admins too.  Why do the users behave this way?  Like children squirming to get out of your arms so they can go play?  So the users can work on things at home, so they can get simply things done.  Once the business requirement is understood, we need to find a way to say “Yes” – not get in their way like an air gap just waiting to be jumped.

So which cool application or web service is the next email-like game-changing technology?  Are we blocking it now in a typical, uncool, parental control manner?  What benefit/risk does it really pose considering what we allow via email?

In our final installment, we’ll examine how to make sure you know what the business needs and wants, what that value versus risk is, and look at options for delivering cool in a managed way.