Monday, February 22, 2010

Controls create complexity

When something bad happens do you tend to react by quickly implementing some control to quell the immediate symptom? Users taking up all your file server space with videos of their kids' soccer practice and pictures of lolcats? No problem! Run a script each night that deletes all files that end with common video and picture extensions. That's a great idea... except the script deleted the HR director's collection of employee photos as well as all of the product teams' video documentation of their latest prototypes. One late night and three backup tapes later you decide to tweak your script.

Now, all suspicious file extensions that are found in user directories that are not HR or product team members are deleted. Wait, the web team is complaining now so you'd best exempt them as well. Except that one guy Sven who you never liked so we'll pick a random date 3 times a year and indiscriminately wipe out a few files.

You then discover that users are sending their media files to HR and Product Team members to share out. You immediately create a rule in the email servers to drop all image and video files as well as impose a 250k message limit. Except now you're company logo is being dropped form email footers and the CFO's 750k policy change documents can't get sent to the contracting agency that he uses.

Tweak time! Only image files that have an approved file path are accepted and email from VP level people can go above the 250k limit. Oops, the product team can't send PDFs to the engineering team because of size limits. Okay, 5Mb limit for them.

Users have now figured out that files are only being deleted based on extensions and have started naming their media files .mymovie, .watchme and .ouradminsucks.

This is getting out of hand. You spec out and pitch a fancy NAS box to the uppity-ups. They miraculously give their support. Now you can inspect each file and tell what it is regardless of file extension. You deny certain file types from even being moved onto it based on user groups in your directory service. Problem solved. Until you look up and see the angry mob with pitchforks and torches approaching.

This fictional, but oft repeated scenario plays itself out in one form or another every day. According to this Harvard Business Review article, an organization should step back and review their policies for three potential problems
1. Static controls for dynamic issues. (Banning .media file types from the file server)
2. Cost of controls higher than the cost of no controls. (Purchasing a high-end NAS appliance to restrict file types.)
3. Controls applied across the board, whether needed or not. (Now the boss's secretary can't download and load B-Net podcasts onto the VPs iPod. You will shortly be able to examine the finer points of said VP's dental work with the amount of time his mouth will spend open oh-so-politely requesting that you rescind your policy.)

We as admins have to deal with complex systems each and every day. As a result we are desensitized to complexity and lose sight of when a solution gets out of hand. We also take our systems too personally (which is a whole 'nother post) and become offended when someone does something that we think "dirties it up".

I propose that we as admins step back, detach our emotions and look at our policies with a critical eye. Let's look for the ones which are only addressing very tightly scoped problems and rescind them, looking for more flexible policies or none at all. In fact, I think I'll go grab some spare hard drives and make an OpenFiler NAS machine for people to share their silliness on.

And for the record, the VP of marketing has very nice caps and minty fresh breath.

No comments:

Post a Comment