I just today mentioned an article between Ranum and Schneier titled, “Should enterprises give in to consumerization at the expense of security?” I imagine most security folks can feel this question every week, if not more so. I had a taste already on a Monday.
Clickability is a service that allows you to email links to people. Some sites such as The Wall Street Journal legitimately partner with Clickability to provide the limited ability to share articles with people who aren’t normally allowed beyond their pay-wall. Nothing too bad, yeah? But if you go to the links that Clickability advertises about itself, you find that anyone can add a javascript bookmark and email, essentially, anything they want to anyone they want…and pose as anyone they want. Rut roh… In my organization, we use IronPort web filters, and IronPort blocks Clickability features due to their categorization as “Web-based Email.”
This is one of those grey area cases. What advice do you give?
On one hand, I can basically email anyone anything and pose as anyone. This may mean the ability to exfiltrate information via port 80 (without normal logging like outbound smtp). It might mean being able to harass an ex anonymously. Or harass someone at work! And while some may argue you need to dig a little to utilize such functionality, I would say not really. The links in Clickability advertise the ease of use, and even the barest minimum use-case demonstrates the spoofability. And while most people won’t be going out of their way in their daily lives to figure out how to spoof emails, if you put it in front of their noses, they’ll turn into criminals-of-opportunity; even if it just starts out as a practical joke to your cubemate.
In addition, an expert appliance, the IronPort web filter, is saying this site breaks policy. Should an SMB take it upon itself to make exceptions and start down that slippery road? One could argue that a major portion of the value in appliance-based web filters is not having to sift through and block sites on your own, but rather inherit what the experts say.
On the other hand, this is a borderline case for “Web-based email” in that it does not allow two-way communication. You can fire off emails, but you can’t get any in return. Likewise, you can’t send attachments.
In addition, the person making this request is a salesperson. With a laptop. And readily available access to networks not subjected to our web filtered VPN connection. So why even bother to control this? Similarly, we’re looking at expanding our mobile presence, which will further the inability to truly keep our arms around the data (assuming we’re still legitimately *in* that battle yet!).
These are big questions, and completely depends on corporate culture. Unfortunately, those with open cultures will always slowly pressure and erode those with tighter cultures. The whole “grass is greener” or “But Bob at the Club told me they decided to allow it, so we can, too!” mentality.
Often the best we (SMBs) can do is educate management as much as possible, but then roll with whatever decision is made. In the absence of regulation, I’m pretty sure there is no right or wrong answer. We could clamp down and say no, or we could stay aligned with consumerland technology.
(My advice is pretty much the above; but I would lean just slightly on the side of trusting the appliance categorizations, and as such keep the site banned. But if someone else overrules me, I won’t be kept up late at night. There are good reasons to roll with the winds of technology, many of which go beyond security.)