People Keep Tryin’ to Put ‘Em Down
They have been variously described as technology’s Generation Y or Generation Tech, an undisciplined, impulsive, entitled horde of 20-something workers that older heads are inclined to see as one of the biggest security challenges ever to hit corporate networks.
Having grown up in an age of lurching software advances, ubiquitous communication and social networking, this is not a group easily dissuaded from using any and every application by the old reasoning that software can be a “bit risky.”
The same applies to their attitude toward bringing your own device(BYOD), a trend driven by the basic social reality that workers of all age groups now depend on personal devices such as smartphones and tablets and won’t take happily to the idea of being asked to leave them at home.
If the Gen Y label sounds a bit glib there is a small but growing body of evidence that a worker’s age does play some role in shaping attitudes to technology. A recent survey by Avecto of 1,500 IT admins visiting the TechEd US and European conferences found that workers between the ages of 20 and 35 – the Gen Y demographic - were seen by 80% of professionals as posing a formidable obstacle to application security.
Why? The tendency of this group to download unauthorized apps was the first big concern, with nearly 40% of admins reporting having experienced a malware incident because of this behavior. Three quarters of admins weren’t even sure how many unauthorized applications had been downloaded, which renders the issue of the damage caused almost moot.
It’s not necessarily that older workers don’t participate in risky behavior as well but that Gen Y is perhaps more active and confident in finding applications for themselves and utterly convinced of their right and need to have them. The survey implied that many admins try to cope with this by “flying blind,” that is they look to manage assertive users using manual procedures based on assumptions and trust. Without tools they have no obvious alternative.
Because Windows applications often demand privileges when installing or updating quite basic applications and add-ons, the easiest if most extreme response is to either fully enable or completely block such privileges. Some incorrectly assume that only esoteric apps still ask for admin rights but this is far from the truth. Here are a few common examples that will ask for privilege elevation:
- Flash Installer/Updater
- Apple iTunes
- Google Chrome
- Adobe Acrobat Updater
- Blackberry Desktop Manager
- Citrix GoToMeeting
- Cisco WebEx
- HP Universal Printer Driver
- VLC Media Player
- Adobe AIR
To this should be added countless examples of legacy and bespoke applications. Blocking or enabling offers certainty but is counter-productive; enabling privileges allows dangerous applications to run at will while removing them stops legitimate and even necessary ones from running at all.
The common solution to this software checkmate that has been available since Windows Vista and Windows 7 is to allow privilege escalation on demand through User Account Control (UAC), but this too comes at a price; admins are bombarded with requests for passwords to elevate application privileges without the visibility to know whether a specific request is justified. Gen Y, meanwhile, is frustrated at even having to ask.
Migration to Windows 7 has turned out to be the important moment where organizations reassessed hardened assumptions about the way employees use and access applications, and a growing number have concluded that the rational response is to invest in least privilege management. With this design, users can request application admin privileges on a case-by-case basis after authenticating themselves in a way that offers audited admin oversight.
The user is given the privileges he or she needs and can use applications on demand with the added benefit that admins are given some visibility into which new applications are finding their way on to the “required” list of the workforce. These rights can be revoked when they are no longer needed, which could be as little as minutes later.
This model overcomes the unhelpful cultural barrier that can spring up between those whose job it is to administer software and employees who might be asking for unsanctioned but potentially beneficial applications admins haven’t even heard of.
There’s no simple answer to identifying which applications might be beneficial and which will turn out to be a productivity-sapping chore. It depends on the type of organization and the specific set of workers. Where might red lines be drawn?
In the blocked group will sit obviously malign applications (i.e. malware) or illegal or inconvenient (e.g. bandwidth-consuming P2P or video), but in truth the overwhelming majority will be tagged rather unhelpfully as “gray,” with their status unknown.
A good example of this is Skype, deemed appropriate for some users and organizations but not for others required to meet regulatory constraints that an encrypted channel into and out of the organization clearly infringes. It just depends. With application and privilege management admins will at least have an overview of an application’s popularity inside an organization the better to make an informed decision.
Opportunity, Not Threat
From the point of view of traditional, centralized IT, BYOD and consumer software are inherently difficult to assimilate. Admins are instinctively wary and with good reason. In conventional IT, the users are the source of most problems starting with the misuse of software. But here’s an intriguing thought; far from being negative and risky, perhaps the way Gen Y adopts new applications could have long-term benefits if a way can be found to accommodate the behavior.
It’s tempting to see the gulf that has grown up between admins and users in some organizations as a culture clash of two age groups, the LAN Generation (let’s call them “Gen X” because it conveniently references people born in the 1960s) and the younger Gen Y that has been the subject of this feature.
This would be a mistake although it does neatly outline the different attitude of workers who grew up with the PC and Internet in the 1980s and 1990s and for whom the challenge was simple: get things to work. Years on, for Gen Y the challenge is less a technical one than a social one: how to change the way things work.
Age, then, is better seen as a motif for divisions that grow up in all organizations between hierarchies, between those whose job it is to manage and those who carry out its most basic functions and look for as many short cuts as possible.
What the emergence of Gen Tech suggests is that technology has changed in ways that offer huge benefits and the best response is to adapt rather than deny, and to involve workers in choosing and developing applications rather than turning them into slaves to the UAC prompt and login box.
Applications are not the enemy and neither are the people who use (or want to use) them. They are the managers of tomorrow and the future of all organizations that the managers of today want to stick around.