As a programmer, I've had the concept of "don't ever trust your users" beaten into my head. For programmers, this concept is incredibly important. Users almost always exceed your expectations for creativity with your new application. By planning for unexpected input, and properly cleaning all variables you can theoretically account for abuses of your system by malicious users and provide a graceful failure for users attempting to enter in bogus data.

This concept is key to programming. What I find astounding, is a large majority of corporations are adopting this practice for all IT related issues, and it's even saturating into HR and other areas of employment. Working as a Security Administrator, I'm surprised that most employers have decided to not trust their employees. If you can't trust them, then why would you hire them?

Some key differences between "users" and "employees". We'll assume for the sake of argument, that we're talking about a Web Application and an Employee's Desktop Computer.

Web Applications:

  • Usually allow most of the internet to establish a connection.
  • Usually implement a custom or home-grown authentication schema.
  • Usually implement a custom separation of privilege system.
  • Usually users are not screened prior to access.

Employee's Desktop Computer:

  • Usually require physical acces (normally, badged entrance to a building, sector of a building, and possibly a room key).
  • Usually sit behind fairly restrictive firewalls that block unrequested inbound communication from external places.
  • Usually implement a centrally controlled authentication system like ActiveDirectory, or LDAP.
    • Usually this process is linked directly into HR's New Hire / Termination Process
  • Permission and ACL system's are usually tied directly into ActiveDirectory and/or LDAP
    • Users are screened through the interview process. They also tend to be known to the organization.
    • Actions on the systems usually include a system for accountability wherein an event can be traced directly back to a particular user.

Yes, there are exceptions. I know Kevin Mitnik would just walk into a building behind an employee, pretend like he belonged there and sit down at an unused computer and "hack" internally. However, people like Mitnik are exceptions to the rule. Most of these pimply faced, angst ridden, EMO listening script kiddies don't have the courage necessary to "hack" at a social level.

So why doesn't your organization trust you? They can easily punish and revoke acccess after repeat offenses. Theoretically, it's not more work than is currently being done. Actually, if users had administrative rights over their pc's, they could install the software they need to get their jobs done without putting in tickets to a corporate help desk. Would machines get thrashed by malware and stupid ass HotBar installs? Of course, but how many untrusting environments currently deal with those problems as is?

The fact is, virus and malware writers are clever. Certain processes run as administrator on a windows machine regardless of the user logged in. Using the builtin messaging systems, the malware writers can force their installer to run as administrator if you have an Antivirus process running. So in a sense, we have policies that impact and impede employees while not really eliminating the serious threats they're being flagged as preventing.

Currently, using a combination of open source tools at work, we're trusting our users. If they're not productive, they don't stick around. We get the IT overhead the hell out of their way and let them be productive. The result has been more effective employees. We do have problems occassionally, but every IT section fights the occassional virus or malware outbreak. Even cooler, the system we've adapted has helped us automate a lot of the fight because we've had far more time free to implement proactive and reactive network security policies since we're not spending all our time installing Adobe Acrobat on all 800 of our users' Desktops.

We've also noticed that when users feel trusted, they tend to have a much more positive outlook on the whole IT field. I've been in environments where users hate their computer so much they become beligerent the second they get an error message. Granted, we still have angry users, but much less frequently than previously. We hired our employees because they were the best candidates and part of their job is being responsible. If they're not responsible, they don't last long.

Of course, there's an additional piece to consider. Now that we've nailed down the monitoring and accountability, we've noticed that after users get warned about something once, they generally don't repeat offenses. They genuinely want to be secure. Do you honestly think your employees want to compromise their personal data, trade secrets, or customer data? Hell no! That's bad. No one wants bad. They generally don't know not to click the damn monkey until you tell them not to. It's education.

The internet is a scary place filled with promises of riches beyond your wildest imagination. That promise, techies know is no different than any opportunity that existed prior to the internet. Usually, if it sounds too good to be true, it generally is. Users need and want to be better educated about the threats they face online. Just like you paid that consultant to come in and teach best practices to your programmers, you should put together classes for users to get education on the internet and computers.

If you don't believe me, I dare you to put together an introductory course to internet safety for your users. Offer the class, don't force it down their throats and see what the response is. Also, please don't be ignorant to non-work related issues. Your employees screw around at work, and if they like you, they work at home. So, address clicking on the monkey and and the threats that they face on those sites. Don't be arrogant and make the class fun.

Even if a small percentage come to the first class, they'll generally spread that knowledge to co-workers and friends virally. The average person wants to know and use best practices for maintaining security on their home and work PCs. They don't want the world to know that they just bought Yanni tickets!

Generally speaking, not trusting the users is a GOOD thing for PROGRAMMING. However, used as blanket policy for your employees, it creates an environment of distrust and disdain. It will undermine any "team building" seminars you just paid for to help people "synergize". They're your employees and many of you spend more time at work than with your own families. If you're around people you can't trust, GET OUT OF THERE NOW. IT Policies will not help you in this case.