| First, security is never a goal in itself; the goal is to get some job done, which involves having something to protect, and security's job is to protect it. Second, even when your metric is security, creating a policy that people have to circumvent to get their job done seems likely to reduce security. > when it comes to ensuring what data comes in and leaves your environment there's little choice The concept of your environment having an "inside" and an "outside" is dangerous. Better to assume that "inside" is just as hostile as "outside", and avoid having any insecure internal services or resources. Use TLS/HTTPS everywhere internally, require authentication for internal services, and otherwise make sure that an attacker gains nothing by compromising an end-user system except what's on that end-user system. > If your job involves idling on Freenode Forget "idling"; participating effectively in many Open Source projects (whether developing them or getting support for them) requires the ability to get on IRC. > maybe take it up with management Short of C-level executives, management rarely has the ability to change IT policy. |
I agree with what you say regarding perimeter security, a concept quickly decreasing in relevance in today's environments. Unfortunately, when you have thousands of people working for you that don't know how to computer, you have to take steps to ensure that the data and functionality that they're handling remains protected.
Additionally, a large amount of attack surface exists on the client side, and with these two factors at play you're dealing with a lot of non-trivial trust relationships within your organisation.
Yes, ideally every system would be an island, and everyone who was supposed to operate it could do so securely and competently enough that they'd realise if something was wrong.
Until then, corporate workstations live in a locked down world where all external access is monitored and scrutinised.