New Computer Policy

[aebrown]

Could someone please point to an actual policy document that describes such a "3rd party server" rule? I find no such reference in this document, where we might expect to find it mentioned. The "rule" seems to be a unicorn.

Church IT representatives have certainly articulated in comments on this forum that we should not upload to a third-party server data that has been downloaded from MLS or LUWS. And the terms of use for LUWS also have provisions to that effect. But I am unaware of any documented policy that says: No matter what the question is, if it involves a third-party server, the answer is no.

While I too am unable to find a specific document that covers the "third-party server" rule, it does seem to apply to this situation. As you mentioned, we have been told here not to upload exported data to a third-party server because of concerns about confidentiality. When a third-party server is involved in transmitting data from the screen of a computer running MLS, it seems that we have most of the same issues.

The screen of a computer running MLS may have highly confidential information (in some cases, more sensitive than anything that appears in export files). If the image of that screen is being transmitted to a third-party server, how do we know that the transmission is secure? How do we know that whoever runs that server doesn't keep copies of the images or transmit them somewhere else? It all comes down to our trust of the owner of that server. But if you examine the possible risks, much of the same mischief is possible that we are concerned about with exported data.

I don't think we need to conclude that the policy is "No matter what the question is, if it involves a third-party server, the answer is no," but there do seem to be valid security and confidentiality concerns with the remote access question.

[RossEvans]

While I too am unable to find a specific document that covers the "third-party server" rule, it does seem to apply to this situation. ...

I don't think we need to conclude that the policy is "No matter what the question is, if it involves a third-party server, the answer is no," but there do seem to be valid security and confidentiality concerns with the remote access question.

I don't disagree that there are valid security concerns on the technical merits. Nor am I necessarily arguing in favor of using GoToMyPC. (However, I don't think the security case is obviously a settled matter. I work for a state agency with a federal partnership, and the security policies in our workplace are pretty strict. But GoToMyPC is authorized with department-manager approval.)

I am just saying that there is a difference between any consensus on this forum over such issues and declaring a "rule" or "policy." One would think that if there is such a rule or policy, it would be written down by those in authority someplace such as the document we are discussing or a related document. The "third-party server rule," with only a narrow basis in written policy or guidance from Church representatives here, does get generalized by commenters sometimes into a general proposition that goes beyond the official statements.

The only thing that is crystal-clear to me from this policy document, with regard to this issue, is that the stake president would have to approve the installation of such software.

[aebrown]

I don't disagree that there are valid security concerns on the technical merits. Nor am I necessarily arguing in favor of using GoToMyPC. (However, I don't think the security case is obviously a settled matter. I work for a state agency with a federal partnership, and the security policies in our workplace are pretty strict. But GoToMyPC is authorized with department-manager approval.)

I wasn't commenting on any particular remote-access software. I know that most of the vendors in this area go to great lengths to provide good security (they'd have a tough time making a sale to most of their customers if they didn't), but the fact is that this general category of software could have security risks.

I am just saying that there is a difference between any consensus on this forum over such issues and declaring a "rule" or "policy." One would think that if there is such a rule or policy, it would be written down by those in authority someplace such as the document we are discussing or a related document. The "third-party server rule," with only a narrow basis in written policy or guidance from Church representatives here, does get generalized by commenters sometimes into a general proposition that goes beyond the official statements.

Very few policies of the Church spell out everything in excruciating detail, so in most cases there is room within the policy for interpretation, hopefully by inspired priesthood leaders who are quite familiar with the policy, as well as the needs of the members within their stewardship.

Even the "third-party server rule" as articulated on this forum is simply an expression of the documented policy that requires us to "Ensure that computers, software, and confidential Church information are kept secure."

The only thing that is crystal-clear to me from this policy document, with regard to this issue, is that the stake president would have to approve the installation of such software.

I certainly agree with that statement.

[RossEvans]

I wasn't commenting on any particular remote-access software. I know that most of the vendors in this area go to great lengths to provide good security (they'd have a tough time making a sale to most of their customers if they didn't), but the fact is that this general category of software could have security risks.

That is literally true.

It does not seem to me that the Church always takes an absolutist position on security. (For example, just the other day in another thread, I was suggesting some stricter encryption measures.)

There is a continuum representing a reasonable tradeoff between ease-of-use and security, and in some respects policy and practice in the Church tilt toward the former. For example, by the standards of many sysadmins, the password and permissions policies on the administrative computer are pretty loose. Physical access is thus relatively more important as part of the overall protection there.

IMHO, the relaxed security on that box actually makes installing something such as GoToMyPC less advisable on the technical merits, compared to using it on more locked-down PCs such as my workplace has. I think that is a more reasonable argument against it than speculating that the vendor, an established and reputable company, could breach its customers' security.

(And as I said, our stake/ward's own local procedures on power-disconnection would make using such a remote-access application impossible in any case.)

Very few policies of the Church spell out everything in excruciating detail, so in most cases there is room within the policy for interpretation, hopefully by inspired priesthood leaders who are quite familiar with the policy, as well as the needs of the members within their stewardship.

Even the "third-party server rule" as articulated on this forum is simply an expression of the documented policy that requires us to "Ensure that computers, software, and confidential Church information are kept secure."

I agree with that as a general proposition, so long as we recognize that we are dealing with a subjective interpretation of an even more general policy that we all support, and our particular interpretation is not a churchwide rule. As I see it, "the 'third-party server rule' as articulated on this forum" is really not articulated at all. Articulation would require at least a complete and replicated sentence, not just a buzzphrase.

If that were articulated, by someone in authority, that would be policy. What I notice in the document we are discussing is the absence of such a particular policy, and an affirmation of the responsibility of stake presidents to interpret the more general principles.

[russellhltn]

Could someone please point to an actual policy document that describes such a "3rd party server" rule? I find no such reference in this document, where we might expect to find it mentioned. The "rule" seems to be a unicorn.

Church IT representatives have certainly articulated in comments on this forum that we should not upload to a third-party server data that has been downloaded from MLS or LUWS. And the terms of use for LUWS also have provisions to that effect. But I am unaware of any documented policy that says: No matter what the question is, if it involves a third-party server, the answer is no.

The policy is a post made by Tomw in this forum. I would also like to see that written up on church letterhead, but so far it has not.

[RossEvans]

The policy is a post made by Tomw in this forum. I would also like to see that written up on church letterhead, but so far it has not.

Could you provide a link to that, and quote complete sentences? I recall multiple comments by Tom warning specifically against uploading to third-party servers data that had been downloaded from MLS or LUWS. Those comments seemed to me to be carefully drafted. And I, for one, accept those comments as binding on my own conduct, even though abiding by them is frustrating sometimes.

However, the comments I recall did not articulate an absolute ban on all uses of "third party servers" by local leaders or members in all contexts and for all purposes. (Strictly speaking, the entire internet is comprised of third-party servers. Email uses third-party servers. Even MLS uses third-party servers on the public internet to relay encrypted packets to/from CHQ.)

So I repeat, I am unaware of any documented policy that says: No matter what the question is, if it involves a third-party server, the answer is no.

[jdlessley]

This post by tomw is one of those posts.

[aebrown]

So I repeat, I am unaware of any documented policy that says: No matter what the question is, if it involves a third-party server, the answer is no.

No one ever said anything that strong (except for you ).

[RossEvans]

No one ever said anything that strong (except for you ).

I was responding to RussellHltn, who did seem to be asserting in reply to me that tomw's comments actually did mean something that strong.

[RossEvans]

As far as the merits of remote-access is concerned, I would add that access to MLS or MLS data is a somewhat different matter than access to the Windows desktop or login prompt, which is what GoToMyPC enables.

Basically, such a remote-access tool is like a virtual key to the clerk's office. Not only do the authorized users have to protect their physical keys to the office, they also would have to protect their virtual keys.

The next security barrier is the Windows login, which by design is set up with a weak password and high privileges.

That is why, on the technical merits, remote access seems to me like an idea that is less than fully baked. It magnifies significant security risks that exist under our noses -- not on some high-security server or its encrypted communications.

That magnified risk would still obtain even if the Church acquired Citrix and moved all the GoToMyPC servers to the basement of the Joseph Smith Building.