Securing the Intranet in a World of Digital Natives
Many of today's new employees coming on board in companies across the world can be considered "digital natives" - members of a generation that grew up with computers and take the advantages of Internet connectivity for granted. This can be a benefit to companies in that it results in computer users who need less ramp-up time and training in basic computer use, but it also presents new challenges to those who are tasked with securing the networks on which these digital natives work. Many of these young people don't expect to be blocked from using the tools and visiting the sites they want, and a surprising number are savvy enough to find workarounds to security measures that worked fine with more traditional employees.
In this article, we seek to raise awareness of how securing a network in this new user environment differs from the old model, and why it may be beneficial to change some longstanding policies and training methods to keep the network security without making the "natives" too restless.
The Digital Population Gap
The term "digital native" is generally attributed to Marc Prensky, who contrasted them with "digital immigrants", who grew up prior to the age of computers in every home and ubiquitous connectivity, and thus must adapt to the environment. See Digital Natives, Digital Immigrants, 2001
Simply being a member of the younger generations does not make a person a digital native. It is about culture, not just age. Many are growing up, even now, in third world countries where computers and internet access are not widely available. Thus digital natives are actually a population, not a generation.
The general premise is that the "natives" think and learn differently. They are used to, and are comfortable with processing a flood of information that would overwhelm many "immigrants." To some extent, they even speak a different language. Although Prensky's paper is focused on how educational institutions must adapt to this new breed of student, the same applies to the workplace. Digital natives do not see computers in the same way that the average older computer user does, as just a machine to be used to get work done. To the native, computers are an integral part of life, as much so as TVs and televisions are to today's baby boomer generation.
Impact on Network Security
At last year's Summit for Microsoft Most Valuable Professionals (MVPs), Steve Riley gave a presentation to the Enterprise Security MVPs called The Future of Security Is not What it Used to Be, in which he talked about the three facets of security: technologies, processes and people. In that discussion, he noted that traditional approaches to security are not going to work with a new generation that has different on-the-job expectations. They expect to be able to access their Facebook sites or email their friends during their breaks just as older workers expect to be able to use the company phone to make personal calls so long as it doesn't interfere with getting the work done. Digital natives do not take kindly to policies and restrictions that seem, to them, arbitrary and punitive.
And if you try to force them into that mold, they are apt to a) quit or b) hack their ways around your security measures. You could say "good riddance" and vow to hire only people who will abide by the rules, but what do you do as the candidate pool becomes filled exclusively with digital natives? And it is more likely that those with technical skills will choose option b - in the process, exposing your network to more threats than if you had provided a safe way for them to have the access they want.
That has not stopped employers from trying. According to this article, research from ScanSafe (maker of web filtering software) shows a recent 20% increase in the number of their customers that are blocking social networking sites, with more than three fourths of them doing so (take a look at this link for example).
One consequence of growing up in a socially networked world is that the natives have a very different attitude toward information and privacy. They may come to the job with the notion that "information wants to be free - in both the monetary and the libertarian sense. In many ways, they have never had much privacy themselves - and that makes it more difficult for them to understand the concept of confidentiality as it applies to the workplace. This can be a real problem, in an era of government regulations such as HIPAA and GLB, which mandate that certain data must be kept private and in a business environment where the disclosure of trade secrets can bring down an entire company.
These digital natives are also more likely to attempt to install their own applications on their computers or to bring in data on flash drives. If you have not already put in place policies governing these activities, it is time to do so.
Unfortunately, just because digital natives are proficient with certain technologies, it does not mean that they know - or care - about security. It is a common characteristic of the young that they see themselves as invulnerable and take risks that older people usually avoid. It's no different online; it's supposedly savvy natives who most often download illegal music and movies, share files over peer-to-peer networks, visit hacker web sites and engage in similar Internet activities. And of course, those are the activities that pose the most risk. Young employees may be adept at circumventing your firewalls and access controls without having any understanding of the consequences to themselves or the organization.
Working Toward a Solution
How, then, should your organization protect itself from the new threats that come with a workforce of digital natives, while still benefiting from their skills? As with any user population, the first key is education. Here are some tips:
- Do not assume that just because your young users know how to navigate around their computers better than the old folks, that they also know how to protect those computers from attack or intrusion. Educate them in that regard.
- Don't talk down to them. Show them that you respect their knowledge and skills, and ask for their input when setting policies. They just might have some good ideas.
- Get them on your team. Instead of creating an adversarial relationship, engage them in working toward the same security goals that you have (and share those goals with them). Show them "what's in it" for them - whether that's something concrete such as more Internet privileges for themselves, or something more abstract such as the gratification of helping thwart an outside attack.
- Remember - and communicate to your employees - that it is not just technological threats that put the company in danger. Even though you might block them from using Facebook or MySpace at work, they can go home and post information about their jobs that unintentionally gets into the wrong hands (such as those of competitors) and causes trouble. Develop policies regarding whether they should identify themselves as company employees on social networks, and what types of information should be off limits for sharing with those outside the company.
Realize that education has to go both ways. Management and IT must first recognize that they are dealing with a new type of employee and make some adjustments in policy and attitude, too.
- Do not assume that the technological controls that worked to restrict your older users can't be circumvented by highly motivated digital natives. It might be a good idea to hire a tech-savvy native to deliberately try to work around your security measures and find the holes so you can close them. This differs from traditional penetration testing in that it's done from the point of view of an insider, attempting to "break out."
- Remember that the carrot works better than the stick. Do not assume that a rigid, authoritarian approach will work with the natives. "Laying down the law" is more likely to inspire them to try that much harder to get around your controls. Before, they were doing it because they wanted the access. Now they will do it to "get back" at you. And if they're disgruntled, they may feel justified in going much further than they would have otherwise.
- Provide them with what they want - without putting your production network at risk. Provide them with a separate wireless network they can connect to with their laptops - almost all of them have laptops - to do their personal web browsing, emailing, etc. They should be able to access the Internet through this network, but it should be completely separate from the corporate network.
Speaking of laptops, digital natives are all about mobility. If the company issues laptops, or if employees connect to the corporate network with their own, deploy a health policy enforcement solution such as Microsoft Network Access Protection (NAP) and provide a way to update the systems whether or not the user is logged on, such as Microsoft DirectAccess. Require BitLocker or other whole disk encryption, and install tracking software such as Computrace LoJackso that if the machine is lost or stolen, it will "call home" if someone connects it to the Internet and data can be remotely erased from the hard drive.