The expert view Jon Honeyball
Is there an intrinsic problem with letting someone choose a different browser? No, but that’s not the whole story. It boils down to how you manage your infrastructure and what rules and processes you put in place.
Traffic that goes in and out of the organisation should be appropriately monitored, whether that be light touch URL filtering or URL filtering backed by cloud-based blacklists and packet filtering.
The risk comes from allowing a highly modifiable platform into your users’ working space. The web browser has access to all the traffic that flows through it, so the acceptance of user-chosen third-party plugins should be viewed with concern. That plugin has access to everything and, whether it’s an internal line of business app or a cloud-based solution, this is an exposure that needs to be considered and judged carefully.
How to control this is a quandary. Do you want to lock everything down or allow more flexibility? At what point does the increased security of a lock-down create enough tension that users feel empowered to take things into their own hands?
One solution is to take a more nuanced approach: have a corporate-mandated browser that is heavily locked down and configured, and is used for line-of-business processes. There is a case to be made for ensuring it can’t be used for social media operation and is viewed as a proper business tool. Then have a second, entirely separate, browser that’s for work outside of line-of-business operations. This could be for work-related tasks or during-the-day social media work (Twitter, Facebook and so on). Again, these tools would be locked out from the secured line-of-business apps.
By taking this approach, you maintain a proper set of workflows in place, have locked down the line-of-business solutions and identified a way to keep social content under control.
As always, you need appropriate monitoring both within your organisation’s fabric and at its boundaries with the world. Do you really want mobile devices, for example, to connect to the internet without going through a mandated VPN tunnel back to the core network? These are hard decisions that must be taken, and all too often there is insufficient monitoring and analysis taking place.