Dear Bob ...Did you happen to see Roger Grimes recent posting, "Unauthorized applications (still) a bad idea," (InfoWorld's Security Advisor, July 14, 2006)? I'd love to hear what you have to say about it.- Curious GeorgeDear Curious ...Now why did you have to go pour gas on the fire?Well okay, here goes. Read Grimes' posting and you'll see same the same, tired, self-serving argument by assertion that's usually Dear Bob …Did you happen to see Roger Grimes recent posting, “Unauthorized applications (still) a bad idea,” (InfoWorld’s Security Advisor, July 14, 2006)? I’d love to hear what you have to say about it.– Curious George Dear Curious …Now why did you have to go pour gas on the fire?Well okay, here goes. Read Grimes’ posting and you’ll see same the same, tired, self-serving argument by assertion that’s usually used by members of the Value Prevention Society (VPS) to justify their one-size-fits-nobody policy recommendations. Unlike many who take his position, Grimes didn’t even haul out the usual references to publications of the Alarming Statistics Society of America (ASSA) to justify his claim that nobody ever installs an unauthorized application that does something useful. Instead, he provides examples, like employees who install GotoMyPC and instant messaging (IM).Grimes needs to take a trip to the clue store. Does he really think employees install GotoMyPC because they find accessing their work computer from home to be a matter of pleasure. Don’t be ridiculous – they install it because they’re conscientious, and sometimes need to work from home, using data that’s only available on their office PC. Very often, they have to do this because their company’s security team has outlawed jump drives, and configure their laptop computers so they can’t carry any data out of the company … security risk, don’t you know.So it’s drive in to work on Saturday or install something that helps them get their job done, because IT is too busy locking down the joint to realize the employees need a decent work-from-home solution. If that weren’t the case, employees wouldn’t have to install GotoMyPC: IT would provide a solid VPN, and Citrix or something similar that provides a way to access office files from home. As for the IM nonsense. Yes, user-installed IM does cause security problems. Unless Grimes has installed a bunch of keystroke loggers to find out what people are doing every second of their 50-hour work weeks (which is, by the way, why employees have to use office equipment for personal tasks, but that’s a different discussion for another time) … he has no idea what fraction of their use is personal and which is business. Here’s a simple alternative to forbidding this very useful communications tool: Install a corporate IM solution that is secure.Grimes’ oddest assertion is this: “Denying all unauthorized software by default leads to more innovation.” Huh? Unless you define “innovation” as “figuring out creative ways to bypass the lockdown,” the statement is absurd on its face. If you still think Grimes is on the right side of this argument, what I want you to do is to go back to 1980. Apply the same logic and you’d end up doing exactly what IS (the usual name back then) tried to do when faced with the PC: Forbid it. According to the IS organizations and pundits of 1980, PCs were brought in to play games and waste time in unimportant activities by irresponsible employees who … get the idea? I’m not going to generalize here. I’ve worked with too many fine information security professionals who take a balanced view of their discipline, recognizing that they are responsible for translating security policy into practical action, not to lock up the joint so tightly that nobody can breathe.But then there’s a different sort who are also drawn to the discipline: Junior G-men who divide the entire world into perps and victims, and who generally blame the victims for not spending their entire lives training to fight the perps.Okay, I’m done now. Get the idea? Grimes appears to consider the role of Information Security to be achieving total security, not striking a balance between risk and opportunity. Oh … I rechecked, and I was wrong. Grimes does make use of a statistic from the ASSA: He says 99% of corporate America isn’t doing enough to prevent crimeware. If “doing enough” means agreeing with his VPS-driven policies, I sure hope he’s right.– Bob P.S. I usually post here using a program called Performancing – a Firefox plug-in. Performancing lets me set these up off-line when I have to, which is quite useful; Firefox you know about as an excellent browser. Most companies would consider both to be unauthorized programs and I’d have to do without. Technology Industry