As of this writing, Wednesday, March 21, 2018, the #deletefacebook movement is building strength in reaction to the massive privacy breach at Facebook. Much of the news is focused on individuals locking down their privacy in Facebook (or completely removing Facebook). But what about within a company? Let’s discuss how it would be done if a company decided to limit Facebook’s reach.
We’ll make some basic assumptions for a company:
- They use updated Microsoft Windows 10 operating systems managed on a Microsoft Windows Server architecture with or without a cloud infrastructure, such as Azure. Access is managed by Microsoft Server Active Directory and security rules are managed by Microsoft Server Group Policy Objects (known as GPOs). In other words, the typical setup for most companies.
- Users have company-provided and owned hardware that is supervised by IT. Personally owned devices are lightly managed by IT when accessing company information (such as a required VPN).
- The company has business uses for Facebook (typically marketing purposes).
- Most people are using Facebook for non-company purposes; that is, for personal browsing.
The most important part of an IT security environment is to balance the company’s business needs with security threats. Facebook doesn’t pose a typical security threat, such as hackers stealing company data. It does, however, concern us with privacy issues. In theory, a hacker could know a lot about your employees from them using your hardware during your business hours, and then use that information to steal your employee’s identity.
In this blog post, we’ll go through steps with a company to determine the best way to block Facebook. Let’s imagine System of Systems is sitting down with the company. The first question we would ask is how does the company use Facebook? It is likely Marketing is using Facebook. Facebook Messenger could be used for communicating (a bad idea for a company!). The company would have to identify these cases for us to isolate users and devices.
Microsoft Server architecture is built for robust IT policies. We would create a policy (using GPOs) to block Facebook for everyone. That would include URLs such as facebook.com and fb.com, plus whatever other domains Facebook used at Facebook. Then we would create an exemption in the GPO for a defined group of people, such as Marketing, that has continued access to Facebook.
Browsers would have to be managed to block Facebook cookies. There’s more here, but for this post we’ll keep it simple.
If users are allowed to start VPNs on their company-owned devices, then we would have to pay attention to people trying to circumvent the company’s policy using an external VPN.
Limiting usage within Facebook – that is, the scope that Facebook has access while in use- is not possible. Facebook doesn’t have corporate access controls for what is being done within Facebook. It’s either a full ban or not. There are, of course, some ad-hoc methods to limit traffic in and of our of Facebook, but they require tremendous overhead by IT and are not guaranteed to work when Facebook changes.
These are the steps we would take for implementation:
- Create a test environment to trial the new security policy. First within IT and then with a small group of people.
- Work with management to form the right communications to users so they are not surprised by the change. For example, help desk would have a clear answer for Why is Facebook not working?
- Phase in implementation in groups to limit potential problems. There would be a different strategy based on number of users, such as 100 vs 100,000.
- We would monitor the implementation to make sure it is working as expected.
- Controls would be put in place to verify the policy continues to work as planned.
- Documentation would be completed and presented to Management and IT for future reference.
While this simple blog post doesn’t cover everything, it is the basic for the company-wide blocking of Facebook.
Andre Preoteasa is the founder and CEO of System of Systems IT Consultants in Newark, NJ.