For anyone who has worked on any portal project, you run into the most common of issues, Single Sign On (SSO). It’s the holy grail of websites that you never do find. No one wants to sign in multiple times. Very few companies have eliminated it. Many companies use more than one SSO tool like Siteminder, TAM, OAM, OpenAM, and Jasig. Let’s face it, it’s a hard nut to crack.
However, we in the IT world make it much harder than it should be and we do this over the raised howls of business users ……………all in the name of security. I’m not against security. I believe we need to build sites that don’t let the wrong people in and that never divulge customer, partner, or other confidential information. That said, I don’t believe that many of our security policies have that as their only end goal. Many times, it’s about the cool tool they or the approach they wish to take. Let me give a few examples:
Employee Portal for a company
I had a debate with the portal architects and the security folks for an employee portal one day. Because they didn’t trust the three tier architecture running over https with a variety of firewall rules and a DMZ, we had to argue against setting up a completely separate infrastructure for external access. The security guys were willing to let employees access the portal from their homes, they just weren’t willing to let that kind of site access any back end systems. We could put content out there but most applications would not be allowed. In other words, we could double the hardware cost. We could double the software licensed. We could double the work to set it up. We could add more to system maintenance. In return, we got a mostly static site that really didn’t give employee access to what they wanted anyway.
To VPN or Not to VPN
Another company, ok make that several companies, had a VPN. When we interviewed the users, we found extreme frustration because the VPN process looked something like this:
- Ask for approval and wait a bit
- Get approval and wait a couple days to get setup
- Get a link to download the software.
- Install the software but have to make some key configuration changes that were relatively hard to do.
- Try to install the software on a MAC and fail miserably
- Go to IT with a trouble ticket and wait, potentially a long time
- Finally get your issue resolved.
- Try to access the web site you wish to access but realize that after you login, you are dumped to a weird site that’s different from your main landing page. Spend 4 clicks and a couple minutes of your time just getting to the site.
You get the idea. Here’s the kicker, those who typically setup the VPN and manage the trouble tickets are convinced that they are not only managing security but that it’s not that hard on users. I think we in IT all too often forget that we deal with technology every day. Most business users can’t make sense of something without the context we already have in our heads. It’s so much harder for them. When we make it too hard, they start doing things like copying confidential data to their laptops.
Insane Security Policies
So before I give an example, I want to say that I’m aware that sometimes security needs to be really tight. If that’s the case then we should make it really tight. However, I all too often see security policies that forbid the copying of information and sharing of that data with third parties. I see policies prohibit collaboration tools being shared with partners, external marketing agencies, suppliers,external researchers etc.
All too often this only has one result. Users find a tool that will get around the policy. It’s really easy to use dropbox, box.net, personal email, and a host of other consumer tools to get around these policies. The end result is the same, users do what they feel they need to do in order to complete their assigned tasks. However in this scenario, IT went from having some control over how user share information to having no control whatsoever.
Mobile Security Policies
Mobile devices in the form of personal smartphones, tablets, etc have taken the world by storm. I’ll give most IT organizations credit. They see it. They recognize they need to do something. It’s just taking a long time. I have more than one client where mobile security policies prohibit the use of personal smartphones to even check email. I’ve spoken with slammed managers outside your typical corporate setting. (store floor, factory floor, etc.). They are not allowed to use a mobile device to check email, search for knowledge on how to fix a machine, or a myriad of other productivity enhancing tasks. So they keep company policy, leave the customer or the machine and spend somewhere between 5 minutes and 30 minutes getting to a corporate approved device. That’s a staggering loss in productivity.
What to Do
We have no silver bullet for the issues mentioned above. However, I think IT and the business should do two things:
- IT should NEVER implement a security policy or technology without thinking through the best way to both make it secure and to make it as easy as possible for the user. Allow access to the employee portal but in a secure fashion. If users must use a VPN, then make the VPN easy to install and pre-configure. Test it out on the devices that your company uses. If an employee has no access to key systems except through a mobile device then allow it after you figure out how to secure the data. It’s better to have a password in the app than not allow usage at all.
- The business should allocate funds to secure their assets. They should also allocate enough funds and resources to allow your security folks to secure the assets while not putting 15 roadblocks in the way. If one VPN technology supports the Mac, allows pre-configuration, and costs a little more; pay the price. If you don’t pay the price, your loss in productivity will exceed the few $$ you just saved.
We do have new reality. The reality is that mobile devices and the tools that come with them make it extremely easy to circumvent a lot of the security. In IT, we can either enable a user to collaborate securely or we can get in the way and lose control entirely. Taking the long view, that’s not a tough decision.