|
Balancing Act
Managing Security in an Open World Story by Al Riske. Photography by Howard Friedenberg. 23.May.08 - Leslie Lambert's job is managing a paradox. A worldwide paradox. A paradox that involves unfettered access and the opposite of unfettered access. he job involves vulnerability assessments, intrusion detection, and incident management. It involves virus protection and spam filtering. All on a network that spans more than 100 countries. And those are just the basics. What Lambert would call the easy part. Nothing to lose sleep over. The paradox is that the network has to be simultaneously open and closed. Open to employees, customers, partners, and suppliers. Closed to spies, thieves, spammers, and con artists. Call it a balancing act.
Lambert has been with Sun for 16 years and can remember when security was the group that said no to everything. Not safe, don't do it. Well, the job has changed. Many companies still limit the choices available to their employees. You can use laptop A or B, cell phone 1 or 2. That's it. Nothing else. Not Sun. Most corporations, she says, actually block access to social networking sites such as Facebook, MySpace, and Ning. Not Sun. Lambert's job would be a lot easier. No question. But what would be the fun in that?
Lambert was actually the head of the security group in the old just-say-no days. But it wasn't even a full-time job then. Just one of three things she was doing for Sun. IT strategy and architecture work being the other two. Now, she is Sun's chief information security officer, and it's full time. She reports to CIO Bob Worrall, who says, "Leslie has a nearly impossible job. We're asking her team to protect our intellectual property, while at the same time not inhibit employee choice, productivity, or mobility. This means rethinking many of our old security policies and practices." Her team comprises 21 individuals with a combined total of 272 years of Sun experience. "I challenge them and say, 'Tell me what's possible. Don't just say, Shut it down. I'm the VP. I could tell you how to shut it down,'" she says. "I challenge them to be smarter than that. "It's really boring to say no. People don't come back. You don't have any friends. But if you partner with them ... "
"Sun has always had an extended family with resellers and partners who help us in our mission," Lambert says, "so we invite them to participate in SWAN [ the name for Sun's wide-area network] and use some of our tools." Which more than doubles the size of the community, to around 80,000 people. "It makes the job much more complicated and broader than most people expect," she says.
"Then we take it further, with Web 2.0 and all the social networking pieces. We always want to be a leader in that kind of thing. But how do we do it and still keep our company and its information safe?" Sun has more than 4,000 bloggers, more than 6,000 Facebook friends, and no less than seven islands in Second Life, where it has staged numerous public and private events, including a virtual town-hall meeting in which Sun's top executives recently came avatar-to-avatar with employees around the world. "We enable Sun to do that by managing security behind the curtain," Lambert says. "The tagline I have for my team is: We enable Sun to be Sun." "What we've done, in the case of Second Life, is we've partnered up with folks. We said, 'Hi, we're from security. We're here to help.' Once people recovered from the shock, we said, 'We'd like to enable you to do this, and we're going to show you how to do it safely.'"
Initially, Second Life was not available on SWAN. "So what we did, with my technical people behind the curtain, was work on exactly how we could configure SWAN and the ports in the firewall to allow Second Life to come in and out in a secure manner," she explains. Other social networking venues are harder to secure -- "Honestly there's not a whole lot we can do, physically" -- so Lambert and her team are relying on awareness. "We're addressing it more through policy and guidance and training for people right now," she says. "The problem with a lot of these sites is they don't necessarily apply the same degree of security rigor to the information stored there that we do at Sun," she says, "and I don't know that everyone across Sun necessarily understands that." In other words, employees have become accustomed to the seamless security of Sun's network. "We've lulled people into a false sense of SWAN. They think SWAN is reality when it's not reality. It's far from reality," she says. "We've architected all this stuff to allow people a very free environment, yet it's very safe. They may presume that's what it's like on the outside -- and it's not."
"The biggest issue is that people might inadvertently post the company's confidential information on these sites thinking they're safe to use and this is how I'm getting my group to collaborate or this is how we're arranging meetings with an outside agency," Lambert says. "They don't realize that all of that stuff is fully exposed for all the world to see."
She points out, however, that Sun's experience with blogging over the past four years has been overwhelmingly positive, with nothing to prevent people from posting confidential information other than a set of guidelines. Trust and common sense make it work. "We'd all prefer to make things more secure, but given who we are, we're not going to make it that arduous on the user. I've been in meetings with Jonathan [Schwartz, Sun's CEO] where he's said, 'I'd prefer to have two-factor identification on everything that people put out there on Facebook, but that's not reality.' In effect he's challenging me and my team and others to be smarter than that. Like I said, it's easy to shut it down. It's difficult to figure out how to do it safely." |
|
||||||||||||||||
