5

I am a web developer for a very large IT organization. Our sites see a healthy portion of our traffic from Google Chrome. So as a web developer I have that browser on my development laptop to test our web applications with it. Along with IE 8 (approved corporate default browser) and the current version of FF (which is also approved software) Of course as is the problem with large organizations our business partners and IT Security partners don't speak to each other.

So today I got an email from our internal IT security team saying that Google Chrome isn't approved software and I quote "it is a huge risk to the organization". They told me they are going to automatically remove it from my machine today. So now I am unable to support the business requirement of supporting Chrome traffic, and unable to skirt around the unapproved software policy.

I recognize that browsers (and possibly email) are the biggest internal threats to IT security for internal employees. However, this problem is most definitely not unique to our organization. So I am curious to know how other internal IT security teams handle approving browsers for use on corporate hardware.

Kenny Rasschaert
  • 9,045
  • 3
  • 42
  • 58
Kip Diskin
  • 61
  • 2
  • 1
    Just today, Chrome Blog posted an article: [German Federal Office of Information Security recommends Chrome](http://chrome.blogspot.com/2012/02/german-federal-office-of-information.html) :) – Janis Veinbergs Feb 03 '12 at 19:55
  • @JanisVeinbergs I was just looking for that article! Combined with the suggestion from Daniel, he should have a strong use case/justification for IT security. If they still don't allow access, push back. – Publiccert Feb 03 '12 at 19:59
  • If you don't want to fight IT, there's always something like BrowserStack.com or an EC2 Windows instance. – ceejayoz Feb 03 '12 at 20:00
  • @ceejayoz I can't say for certain, but I imagine if this IT 'security' group is disallowing Chrome, they're not going to be too thrilled with him RDP'ing out :P Just a thought, but your idea is good regardless. – Publiccert Feb 03 '12 at 20:04
  • Thanks for the Chrome Blog article. I will definitely bring that article to their attention. My concern is they seemed to handle me with a guilty until proven innocent policy. So I want to make sure I'm armed with as much information for how other companies handle this problem when I meet with them. – Kip Diskin Feb 03 '12 at 20:05
  • @Publiccert BrowserStack doesn't require RDP. – ceejayoz Feb 03 '12 at 20:06
  • @ceejayoz Very cool - was not aware of that. I was referring to EC2 though. – Publiccert Feb 03 '12 at 20:09

2 Answers2

13

So now I am unable to support the business requirement of supporting Chrome traffic, and unable to skirt around the unapproved software policy.

This is a social problem, so there isn't a sane technical solution to it. (You can obviously do things that violate the security policy, and risk end up getting you fired or reprimanded, or that don't deliver on the business need, and risk the same thing.)

You have a problem: your boss demands something that the security team forbids you doing. This is a problem you need to take back to him, and get a solution to.

(...and if that involves breaking the security team rules, get that in writing before you will do it.)

Daniel Pittman
  • 5,842
  • 1
  • 23
  • 20
  • I'd say that such a poorly managed organization is probably doomed to fail, so I'd start looking for a better place to put my skills to use. – Aleksander Adamowski Feb 03 '12 at 20:11
  • 1
    I wouldn't reach such a broad conclusion from the data presented; while that could be the case, it could also be that the IT security group never got asked, and treat "any unapproved software" that way for, eg, legal reasons. (...but I would probably move elsewhere, myself. ;) – Daniel Pittman Feb 03 '12 at 20:15
  • I'm not looking to quit (or get fired) and I know that the larger problem is that our business partners and our IT Security partners need to start talking. However, browsers are a big security risk for every company in pretty much every industry so I was hoping for more information on how those companies decide what browsers their development staff get to use. Legal decisions, security vulnerability pros/cons, that kind of stuff – Kip Diskin Feb 03 '12 at 20:37
  • 1
    If security is a major issue, perhaps they might give their developers access to some kind of test terminal server / vdi setup, where the testing host is placed in a portion of the network that is firewalled off from the sensitive bits. – Zoredache Feb 03 '12 at 21:02
  • 3
    This. There is a deadlock. You must break it in order to perform the duties of your job. One of your boss's primary duties as a software development manager is to remove obstacles that are above your pay grade. So, that would be my first stop if IT said I couldn't use something that my job requires. Don't take on IT by yourself; at least have your boss's blessing before pushing back directly to them. – KeithS Feb 04 '12 at 00:24
  • @KeithS: "One of your boss's primary duties as a software development manager is to remove obstacles that are above your pay grade. " Cool - I'll keep this as a favourite quote :-). – sleske May 25 '12 at 09:07
5

What I've seen most often is that restrictions like these arise not only out of a desire for conformity, consistency, and easy support, but also because of compliance or reporting requirements. While IT can choose to make exceptions to their own rules on the former category, the latter is more often rooted in forces outside of the IT department itself. Allowing anyone to deviate from those requirements will interfere with the monitoring systems used to show compliance, and it often takes an act of God to get an exception approved. The fact that these exceptions are often "abused", where something like Chrome quickly becomes your default browser as well as a testing browser, doesn't help at all.

The upshot is that developers are often still expected to conform to the base security policy on their core desktop.

But that's just for the core system. To get around these silly restrictions, developers will be allowed to run virtual machines for testing environments, using images or templates that either have explicit environments and applications set up or that allow them considerably more freedom in what is installed. This includes applications such as Chrome that may fall outside of the normal security policy. This way, all is well in silly management reporting land, but work still gets done when it needs to.

Other options include lab environments with physical machines, where the physical machines are on a completely different network segment and switch. Now that VMs are so easy, though, this is less common.

However, you likely don't have the power to procure either VMs or a lab by yourself. You will need to get your boss involved here. If you approach the problem through proper channels and by asking for a compromise solution, such as a VM environment (and perhaps the hardware to handle it), you show that you understand and respect the security and IT issues involved. This way they are much more likely to take your request seriously.

Joel Coel
  • 12,932
  • 14
  • 62
  • 100