My job is relatively simple really. It’s half about people, and half about data. The data belongs to the people (as individuals or groups), and it’s my job to make sure that data is accessible and secure (in that order). It’s sometimes easy to lose sight of the fundamentals, and certainly some IT Service Providers (more so in the HE sector in my experience) get carried away with the technology, and forget about the people, and their data.
Responsibility and Control
What I struggle with is the difficult balance between responsibility, authority and control. We (the Clinical School Computing Service) provide a managed desktop service, and part of the ‘managed’ is that you get a user account with 50GB of file storage, and group drives up to 1TB for sharing data with colleagues. Those network drives are where the data is supposed to go. If users put it there, we can make sure only authorised people have access to it, make sure it’s available in the event of anything up to complete server room loss, and we can keep snapshots to deal with accidental deletion or damage to data.
This should work well;
- We are responsible for the data
- We have control over the data (because it’s on our systems)
- We have authority over the data (from the users)
Responsibility without control?
However, we also place relatively few restrictions on our users access to their machines. They purchased it, they pay us for the managed desktop service and their user account, so we don’t dictate to them exactly what they do with it. This means we have a conflict between the freedom of the user to use their IT assets as they wish, and our desire for them to follow best practise, so we can secure their data. Because we don’t place restrictions on the users ability to (for example) write to the C: drive, they can (and do) store their data there. Now the model breaks down;
- The user thinks we’re still responsible for it, because it’s IT stuff, and we do IT
- In practise, we have no control over it, because it’s on their PC hard drive, not our systems, we can’t secure it or back it up
- The user has unwittingly taken away our authority over it, by storing it in the wrong place
Of course, if the users are aware of best practise they’ll never do this, but I have a few problems with that statement;
- Users generally aren’t aware of best practise. It’s not part of their induction, or their education/training before they start their job (this is a fundamental flaw in our education in my opinion)
- We can’t educate the users, because how do you reach out to 1,500+ users and teach them about data security?
- Many applications, especially those written by smaller software houses, often out of date and no longer maintained, don’t help the user save data in the right place (they may default to the program file location for saving data).
On top of all this, we also allow users (on request, and after some ad-hoc awareness training over the phone) administrative access to their PC’s. Some demand it, most can justify it, but that then adds an even greater level of risk. We CANNOT say “No, no-one has administrative access” because the systems our users work with often require it, and it would be prohibitive for us to deny them that access.
How do we balance the users needs with our responsibility to ensure their data is secure?
So now we have a difficult problem to solve. How do we balance the users needs with our responsibility to ensure their data is secure? I’ve got one technology solution for a specific group of users (a blog post on that later), but the vast majority are an area we have yet to manage to my satisfaction (any suggestions very welcome!).
Oh, and on top of all this, there’s BYOD. Talk about making a job even harder.