Iyfjky

Question

For my company we are creating a private portal so the company can log in and get the information about their product from our website. My boss wants it to be that only people logging in from that specific area can access the files. I.E. not going home and logging in and showing their wife of friends, or them getting fired and showing off the documents to our competitors.

For that reason, my line manager told me the over all boss wants me to lock IP addresses to accounts so that you cannot access it unless you are in that particular location. I think that this is not a good idea for several technical reasons.

The major question is, the boss is a bit of wildcard. He is not the most tech savvy and does what he wishes, I can tell my line manager but he will tell me just to do it because the boss has said so. Which I can respect, just a bit of a catch 22, Should I be doing something I know is potentially a bad idea?

You have two questions here. One regarding a better implementation is off-topic here and rather belongs to Programmers. I suggest you split your question into two parts, leave one here and ask the other one on Programmers. — Feb 4 '14 at 10:23
@Marriott81 I took the liberty to edit your question and remove the technical aspects to make your question more on-topic. You might want to ask about whether or not what your boss proposes is a good idea or not on the more tech-oriented stackexchange sites. It might be on-topic on security.stackexchange.com or programmers.stackexchange.com — Feb 4 '14 at 10:38
Present your argument, clearly. If you really think the boss is doing something that will seriously damage the company, ask someone more experienced in the company culture to crosscheck your conclusions and if they agree ask them what the appropriate mechanism is for asking other/upper management to weigh in and/or to document the alternative for reconsideration. But in the end, your boss is your most immediate customer. The customer is not always right, but the customer is always the one with the money. You may have to decide whether you'd rather be right or paid. — Feb 4 '14 at 17:20
How is IP Address locking a bad idea? You company probably has a public address, and if you make your app only work from it, then it's a relatively decent defense. That aside, how about instead of swimming upstream if-you-will, suggest a better alternative that accomplishes the Manager's goal(s) as well as yours. — Feb 6 '14 at 3:31
The concept is known as "firewall" and is in use at most companies. — Feb 17 '14 at 5:13

score 92 · Accepted Answer · 2014-02-04 13:08:40Z

up vote
92
down vote

accepted

Your boss is paid to make decisions and to take the blame when his decisions turn out wrong. It is your duty as a responsible employee to make your boss aware of problems you see in their decisions. But when they decide to take the risk, you are paid to do what they say.

But you should make sure that you wrote him an email explaining your concerns. Should things go wrong and people start looking for scapegoats, you can pull out that email and say "It's not my fault, I told you so".

edited Feb 4 '14 at 13:08

answered Feb 4 '14 at 10:33

Philipp

20.3k34885

69

And if you can, in that email, suggest an alternative approach that will work.
â€“Â Jan Doggen
Feb 4 '14 at 12:15

7

Excellent answer. Sadly, in my bitter experience, bad managers seem to separate out decisions from blame so it is always prudent to have a trail of emails/discussions that you can refer back to. Although any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on.
â€“Â Mike
Feb 4 '14 at 15:28

@Mike "any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on" Well, yes, but if the manager's bosses have kept them in the same role after so dishonest a move (blaming the technical staff they overruled so that they have to be caught out), then you should think twice about trusting the management culture. Polish up your paper, get it on the street and get another job.
â€“Â dmckee
Feb 4 '14 at 20:02

2

One safeguard would be to CC other interested/responsible parties in the mail chain. It seems for example in this case the manager making the demand is not OPs line manager, that line manager would need to be included. As it needs linking with network data, corporate IT would need to get involved to ensure those IP addresses are available and static, etc. etc. And such a thing is rarely a one man job, so there's probably a project management team as well that would have to be in the loop.
â€“Â jwenting
Feb 5 '14 at 9:50

2

This is an excellent answer. From personal experince, I have been credited in a performance review for restricting myself to an advisory role only even when the big boss is obviously taking a wrong turn. I told him the problem, didn't argue when the decision go my way. If that decision stuffs you and your department in the long term, its time to bail and get another job im afraid!
â€“Â Gusdor
Feb 5 '14 at 16:28

Â |Â
show 4 more comments

Ricketyship 2,0011022 · Answer 2 · 2014-02-04 12:31:08Z

Points to be taken into consideration:

You are the one implementing the stuff. You should be able to tell your boss what will work and what wont.

Your boss is the one who is responsible for the decisions taken based on your input. Your job is to make sure that your boss is kept up-to-date with the concerns/limitations.

It doesn't matter if your boss is not tech savvy. It might not be his responsibility. It is completely your responsibility to provide the technical view of the solution. Your manager's job is to provide the business angle to the solution. In turn, your manager might get these scenarios from your end user.

List down all the solutions and the loopholes due to these solutions. If your manager wants to go ahead with the loopholes, you need not worry. The onus lies on the manager.

Capture every concern/limitation in a mail. If you feel that something that the customer is expecting might not be the right thing to do, do let your manager know. He can get back to the customer and let them know about the same (not always are the customers right).

Finally, if your manager is sure about the approach to be taken (either due to business requirements or due to customer requirements), you should go ahead and implement it. Sometimes what sounds technologically perfect might not serve any purpose to the end user.

bethlakshmi 70.3k4136277 · Answer 3 · 2014-02-04 16:55:47Z

Let me separate this into two questions:

1 - Should you do what your boss tells you?

Yes.

In the end, they are paying you to do work. Take the money and do the work, or don't take the money and don't do the work. What he's asking for is not unethical or immoral, it's just unwise.

Most folks won't quit over one stupid order, but if you really have no faith in the command structure and it's ability to do smart things, then figure out how much that matters to you in terms of general job satisfaction and also whether or not you can take steps to change it.

2 - In a knowledge working position is it acceptable to question the management?

Yes - absolutely.

Different jobs work differently here - for example, if you were in an industry that centered around rapid response (say, the military, or in an ER), then questioning the boss under time-critical conditions may be an absolute no-go.

But in knowledge working, it's generally assumed that individual contributors have advanced skills and training and will be making independent choices. When a directive from management goes against the good sense of your more detailed knowledge, it's fair to question the directive and raise counter points.

The key here is usually that you won't get far with flat out negation, instead, look into alternate strategies and suggest a path that gets the objective done, but in a better way. And put together ammunition that is worded in business-related concepts, not technical ones. In this example, in particular, I happen to agree with you - I've seen IP locking implemented and it's induced a lot of pain and suffering. But the point that the boss has of no-remote-access is a fair one from a security/business risk perspective.

So, I'd start with this process:

Get Details

Does your boss or the big boss understand that you may accomplish very little with IP locking? For example:

do people take their laptops home? Can the files be uploaded at work to the laptop and then brought home?

does the portal itself have limitations so that data viewed on the portal can't be copied to a laptop/desktop?

Rather than the technical angle, phrase your concerns in a person-centric way - for example, if I was the user and I wanted to work on a report late at night, I'd copy the data from the portal to my laptop and then work from home on my laptop after the kids go to bed... is that feasible here?

Is this covered in other parts of the business? To what lengths does the big boss want to take these security measures? Chances are really controlling this will be more expensive than he really wants...

Clarify the ramifications in terms non-tech folks can understand

I suspect that the reason you dislike this solution is:

hard to administrate -> means that users will have more trouble logging in the first time, and any changes in the at-work system could cause outage when users suddenly can't connect - in terms of the business, this could mean big delays in satisfying customer needs.

expensive (sometimes) - is there a cost in terms of equipment licensing or other features? Money is something business users understand. Also factor in time to administrate - paying for your time while you do maintenance instead of other things.

Offer something better

Come up with a better option that gives the boss what he really needs at a lower price than this option. It's hard to argue when you are getting what you want. Don't deny that there is a business concern or risk - this is where the boss probably does know best. But find a better strategy and then find a way to explain in non-tech why it is better.

Offer something better .. that's the ticket. Telling your boss that there's a problem with his idea is a lot more palatable if you also present a solution. — Feb 5 '14 at 5:04

score 3 · Answer 4 · 2017-05-24 01:55:47Z

As a professional working in the InfoSec profession, I agree fully the spirit of your boss's request, but not necessarily with the recommended approach.

Your boss is trying to limit the amount of people who can access the product data of your company, by restricting access to only the company premises. This is a good security practice, in line with Principle of Least Privilege. Allowing public access over the Internet unnecessarily increases the company's exposure to the risk of unauthorized data disclosure.

In addition to potentially unauthorized disclosure of data, there are other risks that are increased by allowing public Internet access such as risk of internal network compromise from threats such as malware on the end user's computing device. You did not explicitly state the security classification of the data, but if the data is sensitive, then the boss has a very valid point in wanting to protect the data to the greatest extent feasible. However, you questioning whether the proposed method is the most effective is entirely appropriate and **something you should be doing.

A client connection over the public Internet is by default untrusted and could contains all sorts of nasties that the company may not be able to afford to be attacked by. Unless the connection that you use is properly encrypted, such as through a properly configured VPN tunnel using an industry accepted encryption protocol (ex: SSH, IpSec etc.), then any traffic flowing over the link can be easily sniffed on the wire through man in the middle attack. Also, unless you have a client certificate , the company cannot be certain that your machine is what it claims to be.

To summarize, you should absolutely follow the spirit of what your manager wants, but not necessarily the way he is proposing on doing it.

user8365 · Answer 5 · 2014-02-04 16:23:47Z

It seems like the real goal is to secure this site by limiting where it can be accessed. It's the company's information, so they can do with it what they want.

Your boss isn't technically savvy, so why don't you make sure you understand what he wants to accomplish and ask if you can try another solution? If not, I don't see what the problem is if you implement the poor technical solution and then show it doesn't work. If you foresee a lot of problems undoing this solution and implementing something else, you need to make sure the boss understands that up front.

Like most people have indicated: you make suggestions, the boss makes decisions and no one is perfect.

score 0 · Answer 6 · 2014-02-11 18:32:52Z

I would suggest to view the requested access restriction and the tech details of how to implement it as two separate things. Managers are requesting that access to the material only be possible from a certain physical IP address. That often means "from a specific physical location". I do not find that offensive at all.
If that is what management want then I suggest that is something to take as a concrete requirement.
The next step is to assess if their technical suggestion to lock to IP address is the best one. If you think not, then provide some arguments for why not, AND most important; suggest a solution that both fulfills the requirement and is a feasible thing to accomplish.

I suggest if you canÃ‚Â´t imagine some alternative solution, then go ahead with the IP address way.
If so then make sure to inform the manager(s) up front of any security concerns you may have, and have them confirm this is what they want.

this post is rather hard to read (wall of text). Would you mind editing it into a better shape? — Feb 4 '14 at 19:52

jmort253â™¦ 10.4k54376 · Answer 7 · 2014-02-15 04:15:53Z

It's a pain, but sometimes you have to implement your solution to account for your bosses' shortcomings. You can see things that he cannot. That's okay. Rather than doing the work twice, put in a solution where it's configurable. In configuration "a", it works the way your boss asks. In configuration "b", it works the way they're gonna need it to work when they figure out they've hung themselves. Switch between them using a configuration file somewhere. Voila.

You're the hero in both cases -- as long as you are humble at it.

Hey codenoire, the question in this case is more about how to handle a situation where a boss asks for one thing but you're not sure it's the right thing to do. Your post is helpful, but it focuses a little too much on software. I'm not removing it at this time, but I recommend editing to address what to do if there isn't an alternate solution. For instance, suppose the boss said "Don't make it configurable". Hope this helps. — Feb 15 '14 at 4:17

score 92 · Accepted Answer · 2014-02-04 13:08:40Z

up vote
92
down vote

accepted

Your boss is paid to make decisions and to take the blame when his decisions turn out wrong. It is your duty as a responsible employee to make your boss aware of problems you see in their decisions. But when they decide to take the risk, you are paid to do what they say.

But you should make sure that you wrote him an email explaining your concerns. Should things go wrong and people start looking for scapegoats, you can pull out that email and say "It's not my fault, I told you so".

edited Feb 4 '14 at 13:08

answered Feb 4 '14 at 10:33

Philipp

20.3k34885

69

And if you can, in that email, suggest an alternative approach that will work.
â€“Â Jan Doggen
Feb 4 '14 at 12:15

7

Excellent answer. Sadly, in my bitter experience, bad managers seem to separate out decisions from blame so it is always prudent to have a trail of emails/discussions that you can refer back to. Although any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on.
â€“Â Mike
Feb 4 '14 at 15:28

@Mike "any manager who gets stitched up by the use of that material as evidence against them/to save yourself, will be gunning for you from that moment on" Well, yes, but if the manager's bosses have kept them in the same role after so dishonest a move (blaming the technical staff they overruled so that they have to be caught out), then you should think twice about trusting the management culture. Polish up your paper, get it on the street and get another job.
â€“Â dmckee
Feb 4 '14 at 20:02

2

One safeguard would be to CC other interested/responsible parties in the mail chain. It seems for example in this case the manager making the demand is not OPs line manager, that line manager would need to be included. As it needs linking with network data, corporate IT would need to get involved to ensure those IP addresses are available and static, etc. etc. And such a thing is rarely a one man job, so there's probably a project management team as well that would have to be in the loop.
â€“Â jwenting
Feb 5 '14 at 9:50

2

This is an excellent answer. From personal experince, I have been credited in a performance review for restricting myself to an advisory role only even when the big boss is obviously taking a wrong turn. I told him the problem, didn't argue when the decision go my way. If that decision stuffs you and your department in the long term, its time to bail and get another job im afraid!
â€“Â Gusdor
Feb 5 '14 at 16:28

Â |Â
show 4 more comments

Ricketyship 2,0011022 · Answer 9 · 2014-02-04 12:31:08Z

Points to be taken into consideration:

You are the one implementing the stuff. You should be able to tell your boss what will work and what wont.

Your boss is the one who is responsible for the decisions taken based on your input. Your job is to make sure that your boss is kept up-to-date with the concerns/limitations.

It doesn't matter if your boss is not tech savvy. It might not be his responsibility. It is completely your responsibility to provide the technical view of the solution. Your manager's job is to provide the business angle to the solution. In turn, your manager might get these scenarios from your end user.

List down all the solutions and the loopholes due to these solutions. If your manager wants to go ahead with the loopholes, you need not worry. The onus lies on the manager.

Capture every concern/limitation in a mail. If you feel that something that the customer is expecting might not be the right thing to do, do let your manager know. He can get back to the customer and let them know about the same (not always are the customers right).

Finally, if your manager is sure about the approach to be taken (either due to business requirements or due to customer requirements), you should go ahead and implement it. Sometimes what sounds technologically perfect might not serve any purpose to the end user.

bethlakshmi 70.3k4136277 · Answer 10 · 2014-02-04 16:55:47Z

Let me separate this into two questions:

1 - Should you do what your boss tells you?

Yes.

In the end, they are paying you to do work. Take the money and do the work, or don't take the money and don't do the work. What he's asking for is not unethical or immoral, it's just unwise.

Most folks won't quit over one stupid order, but if you really have no faith in the command structure and it's ability to do smart things, then figure out how much that matters to you in terms of general job satisfaction and also whether or not you can take steps to change it.

2 - In a knowledge working position is it acceptable to question the management?

Yes - absolutely.

Different jobs work differently here - for example, if you were in an industry that centered around rapid response (say, the military, or in an ER), then questioning the boss under time-critical conditions may be an absolute no-go.

But in knowledge working, it's generally assumed that individual contributors have advanced skills and training and will be making independent choices. When a directive from management goes against the good sense of your more detailed knowledge, it's fair to question the directive and raise counter points.

The key here is usually that you won't get far with flat out negation, instead, look into alternate strategies and suggest a path that gets the objective done, but in a better way. And put together ammunition that is worded in business-related concepts, not technical ones. In this example, in particular, I happen to agree with you - I've seen IP locking implemented and it's induced a lot of pain and suffering. But the point that the boss has of no-remote-access is a fair one from a security/business risk perspective.

So, I'd start with this process:

Get Details

Does your boss or the big boss understand that you may accomplish very little with IP locking? For example:

do people take their laptops home? Can the files be uploaded at work to the laptop and then brought home?

does the portal itself have limitations so that data viewed on the portal can't be copied to a laptop/desktop?

Rather than the technical angle, phrase your concerns in a person-centric way - for example, if I was the user and I wanted to work on a report late at night, I'd copy the data from the portal to my laptop and then work from home on my laptop after the kids go to bed... is that feasible here?

Is this covered in other parts of the business? To what lengths does the big boss want to take these security measures? Chances are really controlling this will be more expensive than he really wants...

Clarify the ramifications in terms non-tech folks can understand

I suspect that the reason you dislike this solution is:

hard to administrate -> means that users will have more trouble logging in the first time, and any changes in the at-work system could cause outage when users suddenly can't connect - in terms of the business, this could mean big delays in satisfying customer needs.

expensive (sometimes) - is there a cost in terms of equipment licensing or other features? Money is something business users understand. Also factor in time to administrate - paying for your time while you do maintenance instead of other things.

Offer something better

Come up with a better option that gives the boss what he really needs at a lower price than this option. It's hard to argue when you are getting what you want. Don't deny that there is a business concern or risk - this is where the boss probably does know best. But find a better strategy and then find a way to explain in non-tech why it is better.

Offer something better .. that's the ticket. Telling your boss that there's a problem with his idea is a lot more palatable if you also present a solution. — Feb 5 '14 at 5:04

score 3 · Answer 11 · 2017-05-24 01:55:47Z

As a professional working in the InfoSec profession, I agree fully the spirit of your boss's request, but not necessarily with the recommended approach.

Your boss is trying to limit the amount of people who can access the product data of your company, by restricting access to only the company premises. This is a good security practice, in line with Principle of Least Privilege. Allowing public access over the Internet unnecessarily increases the company's exposure to the risk of unauthorized data disclosure.

In addition to potentially unauthorized disclosure of data, there are other risks that are increased by allowing public Internet access such as risk of internal network compromise from threats such as malware on the end user's computing device. You did not explicitly state the security classification of the data, but if the data is sensitive, then the boss has a very valid point in wanting to protect the data to the greatest extent feasible. However, you questioning whether the proposed method is the most effective is entirely appropriate and **something you should be doing.

A client connection over the public Internet is by default untrusted and could contains all sorts of nasties that the company may not be able to afford to be attacked by. Unless the connection that you use is properly encrypted, such as through a properly configured VPN tunnel using an industry accepted encryption protocol (ex: SSH, IpSec etc.), then any traffic flowing over the link can be easily sniffed on the wire through man in the middle attack. Also, unless you have a client certificate , the company cannot be certain that your machine is what it claims to be.

To summarize, you should absolutely follow the spirit of what your manager wants, but not necessarily the way he is proposing on doing it.

user8365 · Answer 12 · 2014-02-04 16:23:47Z

It seems like the real goal is to secure this site by limiting where it can be accessed. It's the company's information, so they can do with it what they want.

Your boss isn't technically savvy, so why don't you make sure you understand what he wants to accomplish and ask if you can try another solution? If not, I don't see what the problem is if you implement the poor technical solution and then show it doesn't work. If you foresee a lot of problems undoing this solution and implementing something else, you need to make sure the boss understands that up front.

Like most people have indicated: you make suggestions, the boss makes decisions and no one is perfect.

score 0 · Answer 13 · 2014-02-11 18:32:52Z

I would suggest to view the requested access restriction and the tech details of how to implement it as two separate things. Managers are requesting that access to the material only be possible from a certain physical IP address. That often means "from a specific physical location". I do not find that offensive at all.
If that is what management want then I suggest that is something to take as a concrete requirement.
The next step is to assess if their technical suggestion to lock to IP address is the best one. If you think not, then provide some arguments for why not, AND most important; suggest a solution that both fulfills the requirement and is a feasible thing to accomplish.

I suggest if you canÃ‚Â´t imagine some alternative solution, then go ahead with the IP address way.
If so then make sure to inform the manager(s) up front of any security concerns you may have, and have them confirm this is what they want.

this post is rather hard to read (wall of text). Would you mind editing it into a better shape? — Feb 4 '14 at 19:52

jmort253â™¦ 10.4k54376 · Answer 14 · 2014-02-15 04:15:53Z

It's a pain, but sometimes you have to implement your solution to account for your bosses' shortcomings. You can see things that he cannot. That's okay. Rather than doing the work twice, put in a solution where it's configurable. In configuration "a", it works the way your boss asks. In configuration "b", it works the way they're gonna need it to work when they figure out they've hung themselves. Switch between them using a configuration file somewhere. Voila.

You're the hero in both cases -- as long as you are humble at it.

Hey codenoire, the question in this case is more about how to handle a situation where a boss asks for one thing but you're not sure it's the right thing to do. Your post is helpful, but it focuses a little too much on software. I'm not removing it at this time, but I recommend editing to address what to do if there isn't an alternate solution. For instance, suppose the boss said "Don't make it configurable". Hope this helps. — Feb 15 '14 at 4:17

Search This Blog

Iyfjky

Implementing something your boss has asked for, even if it's potentially a bad idea

7 Answers
7

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

protected by Elysian Fieldsâ™¦ Feb 5 '14 at 20:45

7 Answers
7

7 Answers
7

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

protected by Elysian Fieldsâ™¦ Feb 5 '14 at 20:45

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

Category

Random preview

Implementing something your boss has asked for, even if it's potentially a bad idea

7 Answers 7

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

protected by Elysian Fieldsâ™¦ Feb 5 '14 at 20:45

7 Answers 7

7 Answers 7

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

1 - Should you do what your boss tells you?

2 - In a knowledge working position is it acceptable to question the management?

protected by Elysian Fieldsâ™¦ Feb 5 '14 at 20:45

Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

List of Gilmore Girls characters

Confectionery

7 Answers
7

7 Answers
7

7 Answers
7