← Back to context

Comment by Zigurd

6 days ago

Personal computers were used in office environments long before the technologies to make them administer-able as if they were a mainframe. Before blindly jumping in and reproducing those technologies, better to ask why they emerged in the first place.

Most workplaces don't have strict bans on personal mobile devices, and some of the ones that do, don't have the kind of physical perimeter defense that can detect people getting lazy about whether or not they carry their personal mobile devices into the workplace. That makes perimeter defense into security theater anyway. We need a rethink about what we are guarding against and how we're doing it.

4 comments

Zigurd

Reply
yencabulator  4 days ago

You're thinking security and that's a big part of it, but another part of this remote admin locked down UI demand is support & minimizing training cost. Everyone clicks the same icon in the same location to start the same business app and it starts up the same way for everyone. End users can't screw up their setup.

Long time ago I supported Linux&Windows desktops in an organization that chose to allow per-user customization, with the trade-off that if you ask for support, what support offers to do is reset your desktop (not data files) to default -- and that fixed practically all issues.

ethbr1  6 days ago

> Most workplaces don't have strict bans on personal mobile devices

If you're talking about select work apps on your mobile device, sure, but that's limited attack surface.

If you're talking about employers who let unmanaged mobile devices hop on their internal network... I've never seen that. Maybe at a hypothetically perfect zero-trust shop?

  • Zigurd  6 days ago

    I've seen a lot of un-seriousness about security. One that's easy to spot is old unpatched IP phones that aren't segregated on the network. I've given demos at companies that are serious, where a device I accidentally left behind caused an urgent search of every room I had been in. Security didn't have to be told which rooms those were.

    • ethbr1  6 days ago

      You likely know better than I, but I've always had a weird intuition that enterprise IT security is bifurcated into "Leaders who understand compliance+details" and "Leaders who confuse compliance for details" with very different results.

      And I get it's extra work, but I've seen some weird "But if you'd just built this a bit differently, you would have gotten all these free security bonuses to your posture" gaps.

      Imho, a huge part of the problem is invisibility. I'm firmly of the belief the US government should be running scans on entities in regulated industries (defense, healthcare, utility, telecom) with regulated redress of any findings.

      Trusting private industry isn't working.