Comment Re:Corporate IT salvation (Score 2) 190
First, let me say that I totally agree that "regular" users -- those who are not programmers or testers or system administrators -- do not typically need administrative rights, nor do they, in the ideal case, need the ability to run unauthorized third-party programs.
HOWEVER, my concern is that there will be many inappropriate and heavy-handed uses of this technology called "Device Guard" by IT departments that are not effectively satisfying the needs of their users.
Firstly, every IT department would, in an ideal world, be willing to get over themselves and accept the fact that software development can, and should, happen in departments other than the official IT department. The larger and more diverse your organization is, the truer this statement is. An employee shouldn't have to be within the reporting chain of the CIO or IT Director in order to be able to develop software as part of their official responsibilities. And yes, if an employee's management chain officially assigns them software development duties, and these responsibilities are accepted as legitimate by a corporate officer who isn't in IT, then this software development *is* official, even if IT isn't aware of it.
The next thing is, IT organizations need to assign appropriate permissions and trust (e.g. local admin rights) to these external development organizations. Trust them to do their job correctly, and only crack down if there is an actual violation. If you're worried about compliance, give them your security policies and make them provide a compliance report before deploying the software. Come up with some *minimally-invasive* hoops they'd have to jump through to get approval to deploy their finished software. *Don't* try to take ownership of their product lifecycle.
In an IT shop meeting these simple minimal criteria, I think this Device Guard feature would be mostly harmless. Jane the Executive Assistant tries to run an
My concern is that there are hundreds of IT shops out there in the wild which do NOT have the political or social intelligence to enact policies like these, and would rather bury their heads in the sand and pretend there's not a problem. They are so averse to risk and change that they would rather see their company stagnate due to the unavailability of necessary tools and technologies, instead of working through the growing pains of becoming an organization that can accommodate the realities of the fast-paced 21st century business culture, such as the necessity of software development done locally to the people who will be using the software (advantages: reduced cost, shorter lifecycle, more relevant and accessible to the end-users, faster response to change requests, etc.)
These same shops without the above will be all too happy to turn on Device Guard for its security benefits, without making the required accommodations for the many existing Shadow IT organizations in their company, half of whom are afraid of IT's potential overreaction to their project and have thus never come forward and told IT what they're doing.
Mark my words: the day that IT departments roll out Windows 10 and turn on Device Guard, the shit is going to hit the fan. You'd better have already worked out the proper preparations with *all* the software developers in your user base -- not just the IT department -- to support their production software, or random pieces of your mission-critical software are just going to stop working one day, and an angry CxO is going to want to know why IT broke their systems.