The Art of IT: What IT Controls--And Doesn't

In our June 22 issue, I suggested it's time to rethink IT's typically strict policy against non-IT supported applications on end-user systems. That column generated a lot of reader mail--to say you feel passionate about the subject is an understatement. Your messages ran about four to one against the notion of letting end users load their own applications, and some of your words for me were...well, less than kind. One writer asked if I'd been dropped on my head as a child; another asked if my own IT staff had charged my office to confiscate the obviously aberrant laptop on which I'd written that column.

Unless Mom's been lying to me, neither is the case. Though I must say, the latter conjures an intriguing image of our IT support team rushing in, Tasers brandished, shocking me into unconsciousness, then cuffing and duck-marching me into some IT kangaroo court where I'm tried and sentenced for my crimes against the enterprise. All too often, this vision isn't far from what IT enforcers would wish for--there are plenty of control freaks out there who'd love to string up anyone who violates IT policy, regardless of the reason.

But that control is an illusion. Once you let users take their laptops home, the chance you'll still control the application mix on their machines is nearly nil. And, by the way, IT knows this. If you really had control of your end-user devices, why would you consider spending an enormous chunk of the IT budget on NAC-like technologies? After all, at its core what NAC does is host assessment and remediation. Why would your buttoned-up IT infrastructure need that--unless, of course, you've already lost control of your end-user devices?

It's important to note that I'm talking about the general case here. Highly regulated industries that deal with sensitive data--health care, finance, national defense--must live by more stringent rules. But the way they do so provides guidance to the rest of us. Policies and policy enforcement are only as effective as the education that goes along with them. When policies appear arbitrary and capricious, you can bet the average well-meaning user will skirt them--often with the enterprise's best interest at heart. And therein lies an important fact that virtually every one of my crazed letter-writing "fans" seems to have missed: Your users want the same thing you do--they want the enterprise to succeed through their good works. So if the sales team in Cleveland starts using Yahoo Messenger to communicate with a support team in Atlanta, perhaps IT's first move shouldn't be to slap them down for finding ways to advance the company's cause.

IT often makes the mistake of thinking it must support every application used by any employee. Again, that's a fundamentally flawed proposition. If your users have access to the Internet, clearly they're using loads of applications about which IT has no knowledge. However, the fact that those apps are delivered in a browser seems to make all the difference in the world.

Perhaps IT's goal should be to offer a safe environment in which users can run Windows-based applications with no more oversight than that required for browser-based apps. Perhaps the goal should be to apply the same sort of defense strategy to the desktop that we apply to the browser. Couldn't there be a way to protect enterprise applications from end-user apps--say, through virtualization? And maybe, just maybe, if you educate your users about what makes a safe application and what doesn't, they'll help you out. Just as most corporate Web users know enough to stay away from shady Web sites, I'll bet with your support, your users will figure out which applications are safe and which are not. Art Wittmann is editor in chief of Network Computing. Write to him at [email protected].