Keeping tabs on worker Internet use is easy. Deciding whether and how to monitor workers is another storyTheWeb is the world's biggest playground. Almost anyone with a computer and an Internet protocol (IP) connection can find endless entertainment and recreation ranging from retail catalogues to sports news to video clips from The Simpsons.
Providing such content is a growth business. Unfortunately, as any IT manager knows, that means other businesses may find their networks-and their productivity-seriously burdened by workers amusing themselves with Web-based diversions.
Naturally, headlines target high-sleaze-quotient cases like the dismissal of two stock analysts from Salomon Smith Barney Inc. in March 1998 for trading smut over the company's network. Theoretically, employees gawking at pornography on their computers could, under the current U.S. Supreme Court interpretation of labour law, contribute to the creation of a "hostile working environment." But it's tough to find a case that has been successfully argued this point.
On a practical level, Web access control in the corporate environment creates a bear of an IT planning issue. Employee surveillance raises questions of privacy and fairness. Web access control turns even simple questions into politically charged dilemmas: Who reads which employees' usage logs under what circumstances? Still, IT executives must wrestle with the question of not only whether but how to control Internet usage so that their networks aren't burdened by unnecessary traffic that can slow response times and call for premature hardware upgrades.
Coming into this contentious space are several products from vendors and service providers such as Kansmen Corp. of Milpitas, Calif., and SurfWatch, a division of Naperville, Ill.-based Spyglass Inc. These management tools are arriving none too soon. Courtney Munroe, program director for business network services for International Data Corp. in New York City (a sister company to CIO Communications Inc.), calls Web access management an issue destined to take up an increasingly large share of the IT spotlight because corporate IP connectivity still faces a large growth curve-especially in the small to midsize business arena. Out of an $8 billion market for IP access, the corporate segment is currently about $3.5 billion-$2.5 billion for dedicated lines and $1 billion for dial-up access, Munroe says.
Auditing and control systems, however, will lag behind deployment of IP-mediated applications for awhile, as they have in other cases. Abuse of corporate telephone systems, for example, was brought under control only with the advent of call-accounting systems in the 1980s. These tools provide call logs for each telephone extension, showing the length and cost of each call.
One drawback, however, is they don't show who was called or why. But thanks to the logging systems built into Internet technologies, surfing the Net does leave a detailed data trail. That IP meta-data is employed by all the access control and monitoring suites, allowing IT managers to know the exact destination of all Web excursions-a powerful stick in monitoring workers' Web use.
To that end, Roy Crooks, director of IT at Bard Manufacturing Inc. in Bryan, Ohio, notified the company's 400-plus employees late in 1997 that the company would begin monitoring their Web use. Crooks, who had observed a little more non-work-related surfing than he considered appropriate, mounted Elron's Internet Manager from Elron Software Inc. of Cambridge, Mass. Internet Manager monitors Web usage in real-time, creates custom reports on usage (much like a call-accounting system) and can build a custom blocking list that denies employees access to pages containing customisable key words, such as basketball, Ku Klux Klan or Lewinsky.
To Crooks' surprise, however, the Web-monitoring effort indicated the company's biggest bandwidth-grabber wasn't employees wasting time on unauthorised sites-it was the PointCast push-based news service many employees used regularly on their desktops. Installing PointCast didn't in itself violate the company's Web-use policy. But most users hadn't modified PointCast's default settings that direct the service to automatically perform many long downloads during the day, claiming a good deal of network bandwidth in the process.
Crooks suggests that if this diversion of resources had gone undetected, it might have led to a premature and expensive network upgrade. As a class, Web access control products are rather new toolsets.
Once the sheer wonder of IP connectivity abated, IS personnel quickly realised they had to get a handle on usage before the corporate networks were overwhelmed by employees downloading bandwidth-gobbling Beastie Boys clips. The first attempts at Web access control were nothing more than network administrators eyeballing raw log files identifying long visits to domains of questionable business value, such as www.playboy.com and www.espn.com, and telling offenders, "Don't go there." Several vendors now provide IP management suites, which typically monitor usage by automatically examining log files that record the places users visit on the Web and translating that data into an easy-to-use report. Most also give IT managers the choice of monitoring or actively blocking domains that managers consider inappropriate for employee visits on work time.
Though most products do allow privileges to be assigned to individuals, they typically group users into classes of privilege. When employees log onto the Internet-usually through an Internet proxy server where many of these systems reside-they get the amount of latitude assigned to their class. For instance, IT executives might be able to access any page anywhere on the Web; mail-room employees might receive access only to shipping-business sites.
But at Miltope Inc. in Hope Hull, Ala., the most critical step in the employee Web-monitoring process was the most nontechnical one: building an acceptable-use policy. Miltope, a manufacturer that "ruggedises" computer equipment for military customers, wanted to make sure its 500 employees used their Internet access strictly for business purposes. Miltope's management ended up assigning employees to 1 of 10 access categories in SurfWatch Professional, each providing access to different types of Web sites. Now when a Miltope employee clicks for a page, SurfWatch checks the user's identity against what's allowed for that category and then decides whether to load the requested page or notify the user the request has been denied. SurfWatch logs requests for banned pages for managers' later inspection.
Bill Gassman, senior analyst with GartnerGroup Inc. in Stamford, Conn., respects the reasons companies use filtering products. However, he advises organisations to consider the scaling limitations inherent in packages that reside on the proxy servers. Filtering these requests by comparing the page to lists of prohibited pages and then comparing the request to individual users' privileges is a time-consuming process that can severely burden servers.
"Anytime you introduce complexity to a network, you're also bringing in the possibility of failure and performance problems," Gassman says.
All Web access management suites can monitor usage and block access to sites deemed unrelated to work. Some, like Kansmen's Little Brother, however, can also measure the amount of bandwidth consumed by Internet applications invoked by using so-called packet-sniffing techniques that track the individual data packets. Packet-sniffing is hardly new technology; in fact, it forms the foundation of many intrusion detection network systems and firewalls, so Kansmen and its contemporaries can expect more competitors.
Consolidation of Web access management suites into security and management systems is already underway. One security company, WatchGuard Technologies Inc. of Seattle, makes a hardware-based network security suite called Firebox, which includes Web auxiliary access-control features. In addition, Bellevue, Wash.-based Sequel Technology struck a licensing agreement with Computer Associates last year to integrate its Sequel Net Access Manager into CA's Unicenter network management system.
Prices for the standalone systems vary considerably. Content Advisor for Firewall-1 NT by Content Advisor Inc. of Somerville, Mass., licenses its product for $1,800 per year for 250 users-which, at that level, works out to about $7 per user. Up from there is Elron Software Inc.'s Elron Internet Manager at $1,295 per 50 users-closer to $26 per user. The prices quoted by companies in this space usually include regular updates of URLs that have been inspected and sorted into the classifications used by their software packages.
Still, no amount of money can buy a perfect hermetic seal against tawdry and useless sites. Given the imperfection of search engine algorithms and the serendipity that guides those who apply meta-tags, any hope of competent automated protection seems a long way off. Gartner's Gassman says managers should be satisfied if even 80 percent of employee Web browsing is work-related, a proportion that could, in large part, be achieved by issuing a written policy (see "Publish and Patrol," side). In fact, he says, companies might want to consider distributing the policy with employees' paycheques.
Peter Cassidy is a writer, technology analyst and consultant who is based in the Boston area. He can be reached at pcassidy@world.std.com.
Publish and Patrol
Tips for keeping tabs on employee Internet access Issue a balanced Web access policy in writing, informing employees when, how and why their Web use will be monitored. Be sure to explain how the policy will be enforced and detail any penalties.
Conduct an initial audit to pinpoint any immediate problems, such as a serious offender tying up the network by downloading full-length feature films. Vendors of filtering software like SurfWatch will analyse log files free upon request.
Audit usage periodically and reassess the policy.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.