Sunday, May 4, 2008

IT security as an impediment to developer's productivity

My first Computer Science teacher liked to tell this story. In the late 1940s there were 3 different classified projects to design the first computing platform in Russia. All three were run by the military, and as is typical for military designers in Soviet Union, all three were working in complete isolation from the rest of the world and each other. Paranoid times, you see: Stalin was imagining the new types of enemies of the state every day.

So one of these projects was falling behind quite a bit, and the leadership decided that it was hopeless, and declassified it. So the team could now go to the conferences, talk to other people, and engage in normal life of a research project, including a lot of information sharing.

This project suddenly had a turn-around, and produced the BESM line (, which became the workhorse of Soviet computing for the next 40 years, sort of Warsaw Block IBM-360. The first version came out in 1952, the production of the last one stopped in 1987.

The other two projects stagnated and were eventually killed.

Moral of the story: secrecy is antithetical to research.

When I started working at Microsoft in 1998, I was startled to realize that the campus was not connected to the Internet at all. I had to go to the company library which had a few workstations on tap to buy tickets from Expedia. This was of course in the name of security, least one can steal the precious Windows source code.

Surprise, surprise, Microsoft struggled to win against Netscape, despite the fact that the company had far more resources to pour into the browser wars, had great programmers, and expertise in shipping.

Throughout the years I worked at Microsoft, security concerns of corporate IT were always in the way of me doing the work I was hired to do (and passionately wanted to do).

First, the IT always messed with the VPN access to the corporate network. It started just like any other VPN - you click on the icon, enter your password, and in a few seconds you are connected. This was not "secure enough", so they added a step that checks if the computer originating the VPN session has critical updates installed. Then they expanded on this brilliant thought by adding more and more checks. Then they started to require smart cards for access.

As a result, towards the end of my tenure, I had to wait at least a minute to connect when I wanted to work from home, usually more like a minute and a half.

It is kinda obvious that a company should really appreciate if people want to work for it more than standard business hours, and should make doing so as easy as possible. Google gets it by the way - connecting to work is easy (under 5 seconds in most cases), everyone gets a laptop, and they buy you a big monitor for work use at home. Microsoft doesn't.

Today, Microsoft have all but removed the VPN access to its corporate network, and replaced it with remote desktop proxy that allows people to connect directly to PCs at work through the RDP sessions. I always laugh at my wife as I observe her doing it - there are 3 dialog boxes where she has to enter her password and various PINs, and the process takes minutes...

And of course if one cared, it would still be easy to write a virus that would penetrate RDP connection if the client is infected - all it needs to do is detect when the desktop is idle for a long time (so the user must have gone away), send a keystroke emulating Ctrl press every 5 minutes so the server desktop does not lock, and then inject keystrokes into RDP client queue to have the server run something off the internet. Mission accomplished!..

Inside Microsoft, the IT security interferes with the developer's productivity as well. If you are an office worker, you probably don't notice it, because your only computer is fully managed by IT, and there's not much you're doing with it anyway.

But if you're a developer, have multiple test boxes (or devices), then the security is in the way big time. Your off-domain test hardware can't connect to anything. You can't debug it in a lot of cases, and you have to jump through a lot of hoops before you do when you can.

A guy who worked for me in my previous job went as far as removing his computer from Microsoft's domain - so much IT security was interfering with his abilities to get stuff done. He read email through the web interface.

Nobody has a way to really measure it, but my gut feeling is that Microsoft loses probably 5-10% of the productivity to the security monster. If you estimate that there are probably ~20000 people in Microsoft's test, dev, and PM orgs, that would be between a thousand and two thousand people. A size of a whole division.

And I am fairly sure Microsoft is not even close to being the worst company as far as IT impact on developers goes. I've heard about companies where developers don't have admin rights to their machines, so they can't install any software beyond that installed by IT. How scary is this - the developers being trusted with the future of their company, but not with their own computers...

The big problem with IT security is that people who make decisions of how to implement it in an enterprise are usually not engineers themselves, do not really understand the risks. And they are not the business people, either, so they do not understand the tradeoffs. They are hired to prevent, and they do prevent. And the best way to prevent code from being leaked, is to make sure that no code is written, so there's nothing to leak :-).

No comments: