User Autonomy or IT Control? The Answer to Both Concerns Is Yes

IT organizations are still struggling to create the appropriate balance between a secure and productive user management environment, and ensuring enough flexibility to enable user innovation and productivity. However, the struggle for cost efficiencies should not override the critical balance needed for managing users. IT organizations must leverage various vehicles to achieve balanced management.

• IT organizations must determine the appropriate level of control across their user base to create a secure and auditable infrastructure.
• A one-size-fits-all standard (that is, complete lockdown or allowing all users autonomy) will lead to increased costs and productivity loss.
• IT organizations can leverage security and operation management tools (quarantining and PC configuration management) to enable various management techniques.

• IT organizations must develop support policies to set expectations for what end users can anticipate with different levels of control.
• IT organizations also must engage a multifaceted management strategy that combines policy, technology, and operational and security-based management tools to accommodate the myriad of end-user needs.

The percentage of controlled desktops in organizations with more than 1,000 employees will increase from 20% at year-end 2008 to 50% by 2013 for desktops, and from 5% to 30% for notebooks.

There's a tug of war in the business-computing environment. Many IT organizations want to lock users down and restrict what they can do on corporate systems. IT wants to prevent the malicious user from causing harm and the typical user from doing something that might accidentally damage the system. Users often want to select their own software and even their own hardware to do their jobs with tools they believe will make them more productive. There are basically two sides (complete lockdown and total autonomy) in the argument over locking down users, especially by restricting their ability to select and install their own software.

As quickly as organizations find new ways to control users, users will find ways around that control. Removing administrator rights with Windows 7 (or Vista or XP) may stop the casual user from installing applications, but not all applications need administrator access to be installed. Application virtualization solutions will appear that enable users to run applications requiring administrator rights in an isolated instance on a machine on which they don't have administrator rights. Furthermore, Web 2.0 applications will continue to appear that can be run from any type of device, including thin clients. Organizations can't lock down the Internet, and site-by-site blocking would be a losing proposition.

Certain users have a real business need to install their own applications. Locking down these users means that IT costs will increase because IT professionals will have to respond to users rapidly to meet their expectations and maintain acceptable service levels. Developers generally need full access to their PCs to do their jobs, and mobile users may need to repair their PCs or get support when they can't connect to the corporate network or get direct IT support.

Users know how to do their jobs better than IT knows how to do users' jobs, and without sufficient freedom, users will not be able to find innovative methods that could increase company revenue, reduce cycle time or reduce the cost of doing business. In many cases, lean IT staffing means that the turnaround time is too long for IT to respond with solutions that the business or individual user requests.

Furthermore, "digital natives" are growing up with technology, and technology is second nature to them. The workforce is changing, and Gartner has heard of people turning down jobs that don't offer the technological freedom they desire. At some point, companies may need to concede some control to avoid discouraging the new workers they want to attract.

The complexity of technology in the business continues to explode. The simpler the environment, the easier it is to test security fixes and other patches before deployment. Having a known environment will lead to faster testing and better security, because patches can be deployed sooner, more predictably and more successfully.

Reduced complexity also reduces IT costs, and organizations still are seeking to manage the necessary diversity. Our total cost of ownership (TCO) model has shown that locking down and managing PCs closely can reduce TCO by 18% to 36%. Some reductions are in IT support costs; others are in reduced productivity losses attributed to users who spend time trying to get their technology to work instead of doing their jobs. IT costs also decrease because IT does not have to repair or rebuild technology broken by users installing software that corrupts their PCs. This potentially frees IT to evaluate new technology.

The typical large organization that does not lock down its users has a 10:1 ratio of users to applications. Thus, a 10,000-user organization likely has around 1,000 applications that users deem important. Keeping track of what's on a user's PC when IT is installing it is difficult enough without the user adding applications. Ensuring that every application works in combination with every other application when users install their own software also is improbable. The percentage of controlled desktops in organizations with more than 1,000 employees will increase from 20% at year-end 2008 to 50% by 2013 for desktops, and from 5% to 30% for notebooks.

Government compliance regulations require controlling users; thus, it may be necessary to know what's on users' PCs and where they are saving data. For example:

• How can a healthcare organization ensure that users are adhering to the Health Insurance Portability and Accountability Act (HIPAA) and securing sensitive data if the organization doesn't know what applications are running on users' PCs?
• How can the organization ensure that sensitive data isn't being stored on websites that may not be as secure as needed to comply with regulations?

Another consideration is the proper licensing of software. Unlicensed software can lead to large fines imposed on the organization, and IT cannot ensure that software is properly licensed when users install it themselves.

The IT professional's job is to optimize company use of IT to manage costs and improve user productivity. IT has skills in gathering requirements, and has communication and ties with parts of the organization that otherwise may not speak directly with each other. IT, when structured properly and well-connected to the business, is in a unique position to discover different parts of the business with similar requirements. Thus, IT can connect these various sectors in a common cause to leverage technology, build economies of scale, increase cross-business effectiveness and reduce costs. This positive IT involvement can offset the sometimes-negative business mind-set that considers IT only as a cost center, with nothing to offer except slowdowns, rules and restrictions, especially when IT is concerned primarily with system availability, compliance and security – all of which require methodical management. Better inventory and management tools, along with policies, processes and well-trained administrators linked by analysts who can be capable liaisons with the business, are changing these perceptions.

History has shown that when users or departments each select their own systems and services, there is a duplication of effort and double the necessary systems and services (selection of the first word processors and spreadsheets are excellent examples). Inevitably, users and departments will need to exchange data, and although data exchanges among disparate systems are possible and are becoming more-feasible as applications increasingly adopt structured XML approaches, it is always easier to exchange data among like systems. Sooner or later, the company will decide that it can save money by consolidating an application category and managing it centrally. With multiple, disparate systems, consolidation will be more expensive.

Early management projects tried to swing the pendulum from managing an ever-growing number of "custom" user images to a one-size-fits-all scenario. They did this to reduce exorbitant costs, only to find that neither approach was successful at reducing costs or improving user perceptions.

The idea of enforcing the same policies with an application developer or a roaming mobile worker as a call center user has no redeeming benefits to business productivity, cost reduction or improved availability.

This leaves an enormous chasm between users' expectations and IT operations' responsibilities and abilities to meet those expectations. "Lockdown" has become a negative concept for users, and IT, in turn, continues to appear unresponsive to users' needs. Thus, organizations must adopt a policy of managed diversity, and IT must seek to develop a more broad-reaching management "framework" that matches management and policy to specific user classifications. Organizations that have matured to Level 3, or Service, on the IT management process maturity model have built a strategy to address these varied needs.

Many organizations have adopted a policy of "don't ask/don't tell" for users running their own software. This strategic ignorance serves only to make the environment less secure and to remove the possibility of policy enforcement. It's better to encourage the legal use of software for innovation, or to firmly reject its use and enforce policies that do so. In any event, the use of unlicensed software, or of any illegal content, cannot be tolerated.

In reality, IT cannot lock down every user. Users will find ways to employ their own devices and preferred applications to do their work. Even if IT could completely lock down each user, some would not be able to do their jobs properly, effectively or innovatively, and the organization would suffer by restricting them. The key is coming to terms with what can and can't be done, and making the right decisions to control the right set of users and empower the right set of users.

Deciding which users need more autonomy and which need less will be required in most organizations to minimize costs while fostering innovation. Concurrently, policies and processes must be created and developed. Only after this occurs can software be used to enforce related policies and enable processes. This philosophy is not new — Gartner has advocated this approach since the late 1990s, but organizations are slow to renounce the simplicity of treating everyone the same. Users who want more control must accept more responsibility, make restitution for support issues they cause and live with less-comprehensive service-level agreements.

A variety of tools must be used to control the perimeter of the environment for users who need autonomy and to control the PCs of users who require less autonomy.

Throughout the years, tools that assist in PC management have improved. Additionally, Microsoft has added enhancements to its Windows operating system that provide tighter control and auditability.

For these users, remove administrator access from Windows. This will prevent them from installing most applications. Watch the market for application virtualization or fat-client applications that can be installed without administrator rights. Consider "black/white" solutions that allow only approved applications (those on the white list) to be executed.

Ensure that your configuration management and patching software strategy is fully implemented. Implement content monitoring and filtering to help prevent sensitive data from leaving the enterprise. Combine these with Windows group policy objects (GPOs) to further control how PCs operate.

Depending on what these users require, removing administrator rights may not be a viable alternative. Instead, consider using black/white list solutions. For users needing more autonomy, a black list can be used to prevent bad applications from being run, and a gray list can be built to understand the applications being installed so they can be considered and rejected if they are found to be detrimental to the security of the organization.

For users requiring less autonomy, applications on the gray list can be prevented from executing until they are evaluated. This gives the organization flexibility in how different user groups are restricted, although it creates another set of processes the organization must follow and maintain. In this case, content monitoring and filtering (CMF) tools may be needed. Also, GPOs and configuration management and patching tools should be considered essential for all users, with inventory components used to alert IT to ensure that user-installed applications are licensed legally. Organizations can employ application virtualization software to isolate the enterprise software being distributed to ensure that it does not conflict with applications users have installed themselves.

For users that require complete autonomy, other methods must be used to ensure security. These users may be employing devices the enterprise does not own or support. Technologies for network access protection and network admission control can be used to ensure that all PCs attaching to the network (on- and off-premises) are fully patched and conform to the enterprise's security policies. CMF products can prevent enterprise data from getting onto nonenterprise PCs, and black lists can be used to prevent the running of bad software. Take care to understand what the enterprise can and cannot do, especially if the PCs are not owned by the enterprise.

Full, operating-system virtualization may be beneficial to help separate enterprise-owned applications from user-owned software and hardware. Consider other elements, like GPOs, configuration management and patch management, if they can be used legally. (You may not want enterprise-owned software to be installed on PCs not owned by the enterprise, and it may even be illegal, like patching someone else's notebook from your Windows Server Update Service.)

The IT organization cannot decide the issue of autonomy versus control in a vacuum. For the project to be successful, IT must sell the benefits of lockdown to the business unit. More IT control can have many business benefits, but remember: An IT control program that fails to consider user innovation and that treats everyone alike is doomed.