Like the rest of the posts on this blog, this is an opinion piece based on my 2+ decades on the industry. Some will agree, others will disagree. Some of the language I’m going to use in this post may be interpreted as condescending towards various groups of folks in the industry. Good. That’s the intent.
Let’s get started.
Definition of IT Security
When I say “IT security”, I specifically mean that which secures your office place. The PCs, laptops, Macs, and the networking that your employees use to do their day to day jobs. I specifically DO NOT mean the networking and servers that your company uses to provide products or services. The term I use for the latter is “production”, not “IT”. Though to be perfectly fair, several of the concepts I’m going to discuss can and should apply to both production and IT.
But let’s focus on the work place.
IT Security: Prison
A prison is built to keep bad guys locked up inside, and away from the good guys on the outside. It’s built with guns pointed inwards towards the threat. Generally, people don’t want to be in prisons; if they’re inside, they want to get out as quickly as they can. No one on the inside is trusted at all because it’s assumed they’re all criminals and, left to their own devices, will cause no end of trouble. Therefore they’re locked up, or watched intently, constantly.
How does this apply to IT security? Trust, or lack thereof, is at the core. The group of folks in charge of making security decisions don’t trust any of the rest of the employees in the company. Therefore, folks aren’t allowed to surf harmless web sites, or read their private email, or even communicate electronically (see: IMs, et al) with their buddies on the outside. In the minds of the security folks: everyone is just one click away from giving away all of the corporate IP and causing no end of problems for the company.
The result is an work space that geeks don’t want to stay in for very long. Morale drops, and folks start putting in their required 8 hours a day, and that’s it. If you’re a company that needs its geeks in order for you to succeed in your mission, you’re putting yourself at risk of failure by building a prison around them and treating them like criminals.
IT Security: Fort
A fort is built to keep the good guys safe by keeping the bad guys out. It’s built with the guns pointed outward towards the threat. People want to be in a fort because it’s safe and secure from the outside world, for the most part. People who are inside the fort are those that are trusted to be there; whomever has vetted folks to be within the walls of the fort trust and know that everyone inside will do the right thing (whatever that “right” thing is) and not cause any havoc or mayhem. Should someone cross that line, there are punishments that can be dealt: stockades, brigs, etc. But for the most part, folks are able to do whatever they want within the walls of the fort because the threats are outside.
How does this apply to IT security? Well, it’s actually pretty simple to talk about, but potentially tricky to implement. Again, it’s based heavily on the idea of trust. You have a group of employees on your corporate network; they’re attached to said network via their desktop PCs, their laptops, or even wirelessly with their tablets or phones. You trust them to do the right thing and not cause any corporate mischief that can lead to IP loss. You trust them because you’ve interviewed and vetted them accordingly. They not only have the skills for the job they’re employed to do, but they’re also trustworthy enough that they don’t need to be watched constantly.
With that trust in place, IT security can be implemented fairly easily. A firewall device will exist between the corporate IT network and the production network; if you don’t need to get to the production side of the house, you don’t. And then another firewall which can perform Network Address Translation (NAT) from private, RFC1918 IP addresses to publicly-routed ones so that your folks can surf the web, access email, and other such resources on the Internet.
Outbound SSH Should Be Included
Yep. Allow outbound SSH connections. If your company employs geeks: guys and gals that are virtually hardwired into the Internet, then they need and want access to resources outside of the company network. And they’ll want CLI access, not just web browser or email access. They may be using that CLI access to communicate with buddies in other companies or to check in on things at their own homes or for any number of reasons.
Is there a risk involved in allowing unfettered outbound SSH? Yep. SCP is part and parcel of SSH and you can use SCP to copy large quantities of corporate data off site. How realistic is that risk, though? Likely incredibly small. Why do I say that? Well, how many of your employees have corporate laptops? And how many of those laptops leave the office every night? And do you have any idea of what data might be ON those laptops when they leave the building? And do you have any idea what networks those laptops are being attached to when they’re not in the building? Simply put: if someone wanted to copy data outside of the company, they’d just put said data on their laptop and then copy it somewhere else when they left for the evening. Or they’d just use USB thumb drives to do it. Don’t get me wrong, there are people that do that; they should be fired immediately (see: stockades, brigs, etc). Punish the offending employee by making that person an ex-employee immediately. Don’t punish the entire organization by limiting outbound connectivity.
Another risk of unfettered outbound SSH is a reverse tunnel back into the network. This is something that, again, should be an immediate fireable offense. And it can be figured out by watching the outbound logs on the aforementioned NAT device; long-standing SSH sessions that run throughout the day, into, and then overnight need to be looked into carefully; they is probably some reverse tunneling going on there. Fire that person and make an example out of him or her.
Build a Fort, Not a Prison
Employee morale is difficult to measure. But the rewards for the company are numerous, including productive employees and ones that actively want to stay at the office longer to get more work done. They stay because they can also take care of personal and private matters while they work. In other words: multitask. I can hear the stodgy old grump of a CEO saying, “But they’re working; they should only be tending to work things.” Right. How many personal phone calls do you take on a daily basis, there, Mr. CEO? How many personal phone calls do you think others take? Or how many personal text messages? Simply put, people aren’t working 100% of the time they’re in the office. They need a breather here and there; some folks take that breather by going outside and sucking on a cancer stick. Others stay inside and surf harmless websites or read and reply to personal email. Stop preventing that.
Morale will be higher within the confines of an IT fort versus an IT prison. It’s not easy to make this happen in a secure fashion because it relies, again, on trust. You need to do a lot of homework to vet your new employees properly; you can’t just hire for skill you have to also hire people that you know will just do the right thing.
Remember: people want to be in a fort; they don’t want to be in a prison. Stop locking your employees up.