shirky.com Clay Shirky's Writings About the Internet
Economics and Culture, Media and Community, Open Source 
Enter the Decentralized Zone 

Network Security will be a joke until IT departments recognize users' power. 
05/29/2001

Digital security is a trade-off. If securing digital data were the only concern 
a business had, users would have no control over their own computing environment 
at all-the Web would be forbidden territory; every disk drive would be welded shut. 
That doesn't happen, of course, because workers also need the flexibility to 
communicate with one another and with the outside world. 

The current compromise between security and flexibility is a sort of intranet-plus-
firewall sandbox, where the IT department sets the security policies that workers 
live within. This allows workers a measure of freedom and flexibility while giving 
their companies heightened security. 

That was the idea, anyway. In practice, the sandbox model is broken. Some of the 
problem is technological, of course, but most of the problem is human. The model 
is broken because the IT department isn't rewarded for helping workers do new things, 
but for keeping existing things from breaking. Workers who want to do new things are 
slowly taking control of networking, and this movement toward decentralized control 
cannot be reversed. 

The most obvious evidence of the gap between the workers' view of the world and the 
IT department's is in the proliferation of email viruses. When faced with the I Love 
You virus and its cousins, the information technology department lectures users against 
opening attachments. Making such an absurd suggestion only underlines how out of touch 
the IT group is: If you're not going to open attachments, you may as well not show up 
for work. 

Email viruses are plaguing the workplace because users must open attachments to get 
their jobs done- the IT department has not given them another way to exchange files. 
For all the talk of intranets and extranets, the only simple, general-purpose tool for 
moving files between users, especially users outside the corporation, is email. Faced 
with an IT department that thinks not opening attachments is a reasonable option, end 
users have done the only sensible thing: ignore the IT department. 

Email was just the beginning. The Web has created an ever-widening hole in the sandbox. 
Once firewalls were opened up to the Web, other kinds of services like streaming media 
began arriving through the same hole, called port 80. Now that workers have won access 
to the Web through port 80, it has become the front door to a whole host of services, 
including file sharing. 

And now there's ICQ. At least the IT folks knew the Web was coming-in many cases, 
they even installed the browsers themselves. ICQ (and its instant messaging brethren) 
is something else entirely-the first widely adopted piece of business software that no 
CTO evaluated and no administrator installed. Any worker who would ever have gone to the 
boss and asked for something that allowed them to trade real-time messages with anyone 
on the Net would have been turned down flat. So they didn't ask, they just did it, and 
now it can't be undone. Shutting off instant messaging is not an option. 

The flood is coming.

And those three holes- email for file transfer, port 80 drilled through the firewall, 
and business applications that workers can download and install themselves-are still 
only cracks in the dike. The real flood is coming, with companies such as Groove Networks, 
Roku Technologies, and Aimster lining up to offer workers groupware solutions that don't 
require centralized servers, and don't make users ask the IT department for either help 
or permission to set them up. 

The IT workers of any organization larger than 50 people are now in an impossible 
situation: They are rewarded for negative events-no crashes or breeches-even as workers 
are inexorably eroding their ability to build or manage a corporate sandbox. The obvious 
parallel here is with the PC itself; 20 years ago, the mainframe guys laughed at the 
toy computers workers were bringing into the workplace because they knew that computation 
was too complex to be handled by anyone other than a centralized group of trained 
professionals. Today, we take it for granted that workers can manage their own computers. 

But we still regard network access and configuration as something that needs to be 
centrally managed by trained professionals, even as workers take network configuration 
under their control. There is no one right answer-digital security is a trade-off. But 
no solution that requires centralized control over what network users do will succeed. 

It's too early to know what the new compromise between security and flexibility will 
look like, but it's not too early to know that the old compromise is over.

Write clay@shirky.com with questions or comments.

Mail a copy of this essay:

Enter the email address of the recipient. Multiple addresses should be separated by commas.

Add your own message(optional):

Your name:(optional)

Note: Your name, and your recipient's email address, will only be used to transfer this article, and will not be stored or used for any other purpose.

Send the article URL only
Send the article as HTML
Send the article as plain text

shirky.com Clay Shirky's Writings About the Internet
Economics and Culture, Media and Community, Open Source