How do other companies handle approved browsers and versions for internal corporate web development hardware?

I am a web developer for a very large IT organization. Our sites see a healthy portion of our traffic from Google Chrome. So as a web developer I have that browser on my development laptop to test our web applications with it. Along with IE 8 (approved corporate default browser) and the current version of FF (which is also approved software) Of course as is the problem with large organizations our business partners and IT Security partners don't speak to each other.

So today I got an email from our internal IT security team saying that Google Chrome isn't approved software and I quote "it is a huge risk to the organization". They told me they are going to automatically remove it from my machine today. So now I am unable to support the business requirement of supporting Chrome traffic, and unable to skirt around the unapproved software policy.

I recognize that browsers (and possibly email) are the biggest internal threats to IT security for internal employees. However, this problem is most definitely not unique to our organization. So I am curious to know how other internal IT security teams handle approving browsers for use on corporate hardware.


So now I am unable to support the business requirement of supporting Chrome traffic, and unable to skirt around the unapproved software policy.

This is a social problem, so there isn't a sane technical solution to it. (You can obviously do things that violate the security policy, and risk end up getting you fired or reprimanded, or that don't deliver on the business need, and risk the same thing.)

You have a problem: your boss demands something that the security team forbids you doing. This is a problem you need to take back to him, and get a solution to.

(...and if that involves breaking the security team rules, get that in writing before you will do it.)


What I've seen most often is that restrictions like these arise not only out of a desire for conformity, consistency, and easy support, but also because of compliance or reporting requirements. While IT can choose to make exceptions to their own rules on the former category, the latter is more often rooted in forces outside of the IT department itself. Allowing anyone to deviate from those requirements will interfere with the monitoring systems used to show compliance, and it often takes an act of God to get an exception approved. The fact that these exceptions are often "abused", where something like Chrome quickly becomes your default browser as well as a testing browser, doesn't help at all.

The upshot is that developers are often still expected to conform to the base security policy on their core desktop.

But that's just for the core system. To get around these silly restrictions, developers will be allowed to run virtual machines for testing environments, using images or templates that either have explicit environments and applications set up or that allow them considerably more freedom in what is installed. This includes applications such as Chrome that may fall outside of the normal security policy. This way, all is well in silly management reporting land, but work still gets done when it needs to.

Other options include lab environments with physical machines, where the physical machines are on a completely different network segment and switch. Now that VMs are so easy, though, this is less common.

However, you likely don't have the power to procure either VMs or a lab by yourself. You will need to get your boss involved here. If you approach the problem through proper channels and by asking for a compromise solution, such as a VM environment (and perhaps the hardware to handle it), you show that you understand and respect the security and IT issues involved. This way they are much more likely to take your request seriously.