47

For my company we are creating a private portal so the company can log in and get the information about their product from our website. My boss wants it to be that only people logging in from that specific area can access the files. I.E. not going home and logging in and showing their wife of friends, or them getting fired and showing off the documents to our competitors.

For that reason, my line manager told me the over all boss wants me to lock IP addresses to accounts so that you cannot access it unless you are in that particular location. I think that this is not a good idea for several technical reasons.

The major question is, the boss is a bit of wildcard. He is not the most tech savvy and does what he wishes, I can tell my line manager but he will tell me just to do it because the boss has said so. Which I can respect, just a bit of a catch 22, Should I be doing something I know is potentially a bad idea?

Philipp
  • 40,012
  • 10
  • 92
  • 143
Marriott81
  • 1,715
  • 1
  • 12
  • 18
  • 9
    You have two questions here. One regarding a better implementation is off-topic here and rather belongs to Programmers. I suggest you split your question into two parts, leave one here and ask the other one on Programmers. – superM Feb 04 '14 at 10:23
  • 2
    @Marriott81 I took the liberty to edit your question and remove the technical aspects to make your question more on-topic. You might want to ask about whether or not what your boss proposes is a good idea or not on the more tech-oriented stackexchange sites. It might be on-topic on http://security.stackexchange.com or http://programmers.stackexchange.com – Philipp Feb 04 '14 at 10:38
  • @Philipp cheers, I was about to do that but was answering another question. will get it back from the edit and post elsewhere. – Marriott81 Feb 04 '14 at 10:44
  • If it is fun, you should do it. If you really think it oughtn't be done, just don't do it, and then see what happens. Guaranteed to make for a fun afternoon! – Code Whisperer Feb 05 '14 at 16:10
  • It's your job. Do it. If you see potential problems, it's in your and the business's best interests to make them known, along with any possible solutions or workarounds. :-) – uSeRnAmEhAhAhAhAhA Feb 05 '14 at 17:35
  • 4
    How is IP Address locking a bad idea? You company probably has a public address, and if you make your app only work from it, then it's a relatively decent defense. That aside, how about instead of swimming upstream if-you-will, suggest a better alternative that accomplishes the Manager's goal(s) as well as yours. – SnakeDoc Feb 06 '14 at 03:31
  • 1
    In regard to @superM comment about programmers, it might be a better question for serverfault, because we're actually talking about blocking outside access to a portal, it's really a trivial matter but falls more in line with professional System administration. – MDMoore313 Feb 06 '14 at 13:55
  • Jesus, 4700 views and still counting. – Marriott81 Feb 07 '14 at 11:21
  • I'm also genuinely curious as to why IP locking is a bad idea. We do a similar thing in our company for security reasons. From my knowledge, we haven't had any issues with it for the past 9 years or so. – TtT23 Feb 13 '14 at 11:44
  • 3
    The concept is known as "firewall" and is in use at most companies. – Petter Nordlander Feb 17 '14 at 05:13
  • see also: How to correct a CEO's misunderstanding of a project? – gnat Jan 09 '15 at 22:47
  • On a technical side - just make it easy to adjust the IP rules. I've implemented variations of this multiple times, and never had a serious issue with it. – Sam Dufel Apr 05 '17 at 01:00
  • @SnakeDoc I agree with you. However, I don't get why he'd need to bind it to the accounts. I'd simply have made a whitelist for IP's for the app. If they need to get in the application from the outside they can just use a VPN rather than whitelist the specific user's IP. The whole accounts part is what makes me feel like it's wasted time and effort. Any permission system should be separated from this anyway. – Migz May 24 '17 at 07:03

7 Answers7

97

Your boss is paid to make decisions and to take the blame when his decisions turn out wrong. It is your duty as a responsible employee to make your boss aware of problems you see in their decisions. But when they decide to take the risk, you are paid to do what they say.

But you should make sure that you wrote him an email explaining your concerns. Should things go wrong and people start looking for scapegoats, you can pull out that email and say "It's not my fault, I told you so".

Philipp
  • 40,012
  • 10
  • 92
  • 143
  • 72
    And if you can, in that email, suggest an alternative approach that will work. –  Feb 04 '14 at 12:15
  • 7
    Excellent answer. Sadly, in my bitter experience, bad managers seem to separate out decisions from blame so it is always prudent to have a trail of emails/discussions that you can refer back to. Although any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on. – Mike Feb 04 '14 at 15:28
  • @Mike "any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on" Well, yes, but if the manager's bosses have kept them in the same role after so dishonest a move (blaming the technical staff they overruled so that they have to be caught out), then you should think twice about trusting the management culture. Polish up your paper, get it on the street and get another job. – dmckee --- ex-moderator kitten Feb 04 '14 at 20:02
  • @dmckee: supposing that the manager is dishonest, they will probably (a) claim they never received the email and (b) make it a point of policy never to respond to emails containing warnings like this ;-) Therefore it may not be so easy for the manager's boss to see that they are dishonest, that you make it a resignation matter for yourself. I'm not saying you should accept being the scapegoat, of course, just that it'd be a rookie mistake for the manager to try to lay specific blame in that way. – Steve Jessop Feb 04 '14 at 21:41
  • Btw, I say this not because I have seen managerial malevolence on that scale. I haven't. But I have seen a lot of people claim not to know something they were told by email: sometimes honestly and I rather suspect sometimes dishonestly. At the very least the email needs to be about nothing other than this one point, so they don't just skim over the part they don't like in your "project plan" email. Ideally you need a response that says, "I understand the consequences". Assuming you ask politely, willingness to say that is a strong indicator of a non-weasel. – Steve Jessop Feb 04 '14 at 21:46
  • @dmckee - excellent point. Of course, it assumes that your manager's manager isn't as incompetent as they are :-) – Mike Feb 05 '14 at 08:44
  • 2
    One safeguard would be to CC other interested/responsible parties in the mail chain. It seems for example in this case the manager making the demand is not OPs line manager, that line manager would need to be included. As it needs linking with network data, corporate IT would need to get involved to ensure those IP addresses are available and static, etc. etc. And such a thing is rarely a one man job, so there's probably a project management team as well that would have to be in the loop. – jwenting Feb 05 '14 at 09:50
  • 2
    This is an excellent answer. From personal experince, I have been credited in a performance review for restricting myself to an advisory role only even when the big boss is obviously taking a wrong turn. I told him the problem, didn't argue when the decision go my way. If that decision stuffs you and your department in the long term, its time to bail and get another job im afraid! – Gusdor Feb 05 '14 at 16:28
  • Even though decisions are supposed to be owned by bosses, they generally are not. Bosses deflect blame on subordinates. This is well-studied in the longitudinal studies cited in Moral Mazes. Generally, I think it's better to exercise the technical judgement for which you were hired. Assert confidently what a better approach might be. If you are not content to leave the job, then you just have to ask yourself what trade-off you want to make... in the limit of an insistent but wrong boss, do you prefer to find a new job after defending your idea, or risk taking the blame for the boss's bad idea? –  Feb 11 '14 at 18:39
19

Let me separate this into two questions:

1 - Should you do what your boss tells you?

Yes.

In the end, they are paying you to do work. Take the money and do the work, or don't take the money and don't do the work. What he's asking for is not unethical or immoral, it's just unwise.

Most folks won't quit over one stupid order, but if you really have no faith in the command structure and it's ability to do smart things, then figure out how much that matters to you in terms of general job satisfaction and also whether or not you can take steps to change it.

2 - In a knowledge working position is it acceptable to question the management?

Yes - absolutely.

Different jobs work differently here - for example, if you were in an industry that centered around rapid response (say, the military, or in an ER), then questioning the boss under time-critical conditions may be an absolute no-go.

But in knowledge working, it's generally assumed that individual contributors have advanced skills and training and will be making independent choices. When a directive from management goes against the good sense of your more detailed knowledge, it's fair to question the directive and raise counter points.

The key here is usually that you won't get far with flat out negation, instead, look into alternate strategies and suggest a path that gets the objective done, but in a better way. And put together ammunition that is worded in business-related concepts, not technical ones. In this example, in particular, I happen to agree with you - I've seen IP locking implemented and it's induced a lot of pain and suffering. But the point that the boss has of no-remote-access is a fair one from a security/business risk perspective.

So, I'd start with this process:

Get Details

Does your boss or the big boss understand that you may accomplish very little with IP locking? For example:

  • do people take their laptops home? Can the files be uploaded at work to the laptop and then brought home?
  • does the portal itself have limitations so that data viewed on the portal can't be copied to a laptop/desktop?

Rather than the technical angle, phrase your concerns in a person-centric way - for example, if I was the user and I wanted to work on a report late at night, I'd copy the data from the portal to my laptop and then work from home on my laptop after the kids go to bed... is that feasible here?

Is this covered in other parts of the business? To what lengths does the big boss want to take these security measures? Chances are really controlling this will be more expensive than he really wants...

Clarify the ramifications in terms non-tech folks can understand

I suspect that the reason you dislike this solution is:

  • hard to administrate -> means that users will have more trouble logging in the first time, and any changes in the at-work system could cause outage when users suddenly can't connect - in terms of the business, this could mean big delays in satisfying customer needs.

  • expensive (sometimes) - is there a cost in terms of equipment licensing or other features? Money is something business users understand. Also factor in time to administrate - paying for your time while you do maintenance instead of other things.

Offer something better

Come up with a better option that gives the boss what he really needs at a lower price than this option. It's hard to argue when you are getting what you want. Don't deny that there is a business concern or risk - this is where the boss probably does know best. But find a better strategy and then find a way to explain in non-tech why it is better.

bethlakshmi
  • 80,080
  • 5
  • 163
  • 308
  • 2
    Offer something better .. that's the ticket. Telling your boss that there's a problem with his idea is a lot more palatable if you also present a solution. – Carson63000 Feb 05 '14 at 05:04
18

Points to be taken into consideration:

  • You are the one implementing the stuff. You should be able to tell your boss what will work and what wont.
  • Your boss is the one who is responsible for the decisions taken based on your input. Your job is to make sure that your boss is kept up-to-date with the concerns/limitations.
  • It doesn't matter if your boss is not tech savvy. It might not be his responsibility. It is completely your responsibility to provide the technical view of the solution. Your manager's job is to provide the business angle to the solution. In turn, your manager might get these scenarios from your end user.
  • List down all the solutions and the loopholes due to these solutions. If your manager wants to go ahead with the loopholes, you need not worry. The onus lies on the manager.
  • Capture every concern/limitation in a mail. If you feel that something that the customer is expecting might not be the right thing to do, do let your manager know. He can get back to the customer and let them know about the same (not always are the customers right).
  • Finally, if your manager is sure about the approach to be taken (either due to business requirements or due to customer requirements), you should go ahead and implement it. Sometimes what sounds technologically perfect might not serve any purpose to the end user.
Ricketyship
  • 2,151
  • 16
  • 22
4

As a professional working in the InfoSec profession, I agree fully the spirit of your boss's request, but not necessarily with the recommended approach.

Your boss is trying to limit the amount of people who can access the product data of your company, by restricting access to only the company premises. This is a good security practice, in line with Principle of Least Privilege. Allowing public access over the Internet unnecessarily increases the company's exposure to the risk of unauthorized data disclosure.

In addition to potentially unauthorized disclosure of data, there are other risks that are increased by allowing public Internet access such as risk of internal network compromise from threats such as malware on the end user's computing device. You did not explicitly state the security classification of the data, but if the data is sensitive, then the boss has a very valid point in wanting to protect the data to the greatest extent feasible. However, you questioning whether the proposed method is the most effective is entirely appropriate and **something you should be doing.

A client connection over the public Internet is by default untrusted and could contains all sorts of nasties that the company may not be able to afford to be attacked by. Unless the connection that you use is properly encrypted, such as through a properly configured VPN tunnel using an industry accepted encryption protocol (ex: SSH, IpSec etc.), then any traffic flowing over the link can be easily sniffed on the wire through man in the middle attack. Also, unless you have a client certificate , the company cannot be certain that your machine is what it claims to be.

To summarize, you should absolutely follow the spirit of what your manager wants, but not necessarily the way he is proposing on doing it.

Anthony
  • 20,827
  • 19
  • 73
  • 144
2

It seems like the real goal is to secure this site by limiting where it can be accessed. It's the company's information, so they can do with it what they want.

Your boss isn't technically savvy, so why don't you make sure you understand what he wants to accomplish and ask if you can try another solution? If not, I don't see what the problem is if you implement the poor technical solution and then show it doesn't work. If you foresee a lot of problems undoing this solution and implementing something else, you need to make sure the boss understands that up front.

Like most people have indicated: you make suggestions, the boss makes decisions and no one is perfect.

0

I would suggest to view the requested access restriction and the tech details of how to implement it as two separate things. Managers are requesting that access to the material only be possible from a certain physical IP address. That often means "from a specific physical location". I do not find that offensive at all. If that is what management want then I suggest that is something to take as a concrete requirement. The next step is to assess if their technical suggestion to lock to IP address is the best one. If you think not, then provide some arguments for why not, AND most important; suggest a solution that both fulfills the requirement and is a feasible thing to accomplish.

I suggest if you can´t imagine some alternative solution, then go ahead with the IP address way. If so then make sure to inform the manager(s) up front of any security concerns you may have, and have them confirm this is what they want.

Gunnar Forsgren - Mobimation
  • 127
  • 2
  • 2
    this post is rather hard to read (wall of text). Would you mind [edit]ing it into a better shape? – gnat Feb 04 '14 at 19:52
-2

It's a pain, but sometimes you have to implement your solution to account for your bosses' shortcomings. You can see things that he cannot. That's okay. Rather than doing the work twice, put in a solution where it's configurable. In configuration "a", it works the way your boss asks. In configuration "b", it works the way they're gonna need it to work when they figure out they've hung themselves. Switch between them using a configuration file somewhere. Voila.

You're the hero in both cases -- as long as you are humble at it.

jmort253
  • 11,416
  • 5
  • 58
  • 83
Xavier J
  • 42,848
  • 10
  • 86
  • 146
  • 1
    Hey codenoire, the question in this case is more about how to handle a situation where a boss asks for one thing but you're not sure it's the right thing to do. Your post is helpful, but it focuses a little too much on software. I'm not removing it at this time, but I recommend editing to address what to do if there isn't an alternate solution. For instance, suppose the boss said "Don't make it configurable". Hope this helps. – jmort253 Feb 15 '14 at 04:17