The Lighter Side of IT Consumerization
The consumerization of IT has created its share of headaches and sleepless nights for security professionals tasked with keeping corporate technology borders airtight. However, the trend of employees using personal devices for work could have some upsides and opportunities for IT security as well, if you know where to look and how to implement the right policies.
04/24/12 5:00 AM PT
You've probably heard the term "consumerization of IT." Some of the network and security pros reading this probably think this is yet another meaningless industry buzzword with little or no value. However, to dismiss it as such is to potentially miss out on what is both a very powerful concept ... and one that information security practitioners ignore at their peril.
Specifically, more and more in today's shops, "self-provisioned" (i.e. employee-owned) technology is making its way into the day-to-day work lives of those employees. Organizations are increasingly not only allowing, but actively embracing, the use of a heterogeneous array of personally owned devices. From mobile platforms like Android, iPhone and iPad to strategies leveraging virtualization to transform the managed endpoint from a physical to a virtual image, more and more enterprise technology is being layered over personally owned technology.
Businesses have been generally quick to support this for a few reasons: First, the economic advantages of this should be clear and obvious (i.e. offset hardware costs), but also there are upticks in "fuzzier" areas like user satisfaction and productivity as well. Since users are employing the devices and technologies they know and prefer, they're more productive and happier about being so.
Security has been a rockier road though. Security professionals have been slower to come around due to challenges like decreased organizational control over the underlying platform and challenges in controlling proliferation of sensitive data. It's a common perception that it's harder to secure the environment in a "consumerized" mode than in a traditional IT mode.
Whether or not you believe that's true, the handwriting is on the wall from an adoption standpoint. Organizations are moving toward rather than away from consumerization. And with this trend, there are upsides for security pros along with potential downsides. So, yes it's true that you need to secure your environment, and in some ways the move to employee-provisioned technology makes that harder. But it's also true that there are things you can do under this model that you couldn't do in the old.
So if your organization is moving to a more consumer-focused model anyway, why not try to capture some of that energy to drive security initiatives and add security value? Here are a few ways you can do that.
#1: Device-Based Authentication
First and foremost, have you noticed how eager employees are to keep their phones accessible? Compare that to how employees view traditional "what you have" authentication tokens, for example, hardware one-time password generators. You know what employees don't love to carry around (and therefore often leave somewhere else)? Password fobs for one. Access cards for another.
Phones, on the other hand, are usually right next to your employee. So if your organization is actively moving to a model in which employee-issued mobile devices are used as a matter of course within the organization, why not evaluate leveraging that platform as an authentication method? You could consider, for example, the use of a mobile authenticator app -- or alternatively, you could use a one-time code delivered via SMS to the mobile number. Using the mobile device as a "what you have" authentication method can help reduce hardware procurement and distribution costs, and can also lower support overhead as well.
#2: Endpoint Standardization and Inventory
One of the challenges that many organizations face is in the management of the corporate endpoint. Providing a reliable, supportable and secure computing device to corporate users has proven problematic.
Moving to a model that leverages personal resources provides the opportunity for the organization to address some sins of the past. First, users are highly encouraged to keep their personal computing platform running smoothly and kept secured. Secondly, the move to an all-virtual platform provides the opportunity to both standardize and also to revisit software and device inventories. Moreover, the fact that the image is virtual in nature allows a higher degree of standardization as hardware is virtualized, which smoothes out minor platform differences among physical devices (even those in the same family or model series from the same manufacturer).
#3: Opportunity to Expand Virtualization Controls
Virtualization has posed quite a challenge to the corporate world in general. And let's face it, quite a few aspects of virtualization have a significant impact on the way we do security. For example, the move to backplane communication decreases the utility of network-dependent security controls (e.g. IDS) while at the same time potentially requiring new controls (for example, virtual taps or other specialized virtualized tools) to gain new types of visibility.
Many organizations are still catching up to where they need to be in the virtualization space from a tool, resource and budget standpoint. Enhanced use of virtualization to support the use of BYOD devices can mean a corresponding shift in spending -- a shift away from support and provisioning of physical hardware and a move to enhanced "virtual friendly" security controls. This shift can potentially be leveraged by the security team to help in the race to catch up to where the organization has gone with virtualization efforts in other areas like the data center.
#4: Formalization of Existing Support Relationships
It's the rare organization wherein supporting personally owned technology is an entirely new development. Specifically, executives have long asked IT departments to support and enable access to devices that executives have personally acquired. In the majority of cases, IT has conceded to the wishes of these senior leaders and provided that support.
Now, instead of making these "one off" support arrangements in the case of high-level executives, the move to consumerization formalizes this type of support. What many IT departments have been doing already now has some formalization. With formalization comes standardization -- for example, of toolset and practices. That standardization increases security as a whole.
As consumerization continues to make inroads into enterprises, security organizations will of course have challenges to meet. But there are also some areas where we can expect this trend to have a few positive impacts as well. It's just a matter of keeping eyes open for those opportunities and capturing them.