The Consumerization of IT Demands Policy enforcement

By | January 5, 2007

Throughout 2007 IT will need to prepare itself for an onslaught of unmanaged IP enabled devices as millions of users plug in new computers, USB drives, music/video players, handheld mobile devices, and even the stray game console into enterprise networks. In addition to new shiny objects, many users install applications like iTunes, VoIP, multi-player games, and all manner of non-compliant software on their enterprise-owned computers, all of which introduce significant security risks. And even if this wave of involuntary consumer technology adoption doesn’t bring actual harm, it will certainly complicate an organization’s ability to fully manage their IT environments against these products.

Two trends are at work here. First, Gartner and other analyst firms have noted a shift towards the consumerization of corporate IT. Many consumer technologies are more advanced, easier to use and certainly more fun than plain-vanilla IT gear issued to employees. It’s inevitable that many consumer gadgets, from smart phones to multi-gigabyte media players, will connect to enterprise networks—whether organizations officially support them or not.

Second, the security threat environment is evolving rapidly to embrace consumer products as vectors for viruses, spyware, intrusions, data leaks and other security headaches. This significantly increases the attack surface for new security threats. Organizations are currently challenged to secure managed devices, and this new set of unmanaged devices adds a level of complexity that forces IT to adopt new strategies for gaining control over their environment.

An Increasingly Hostile Device Population

Consumer products are becoming more sophisticated, and in many cases support Internet connectivity, data-synchronization with computers and significant data storage capabilities. Allowed or not, consumer products are creating an increasingly hostile device population, and they should be treated as such. Visibility and control are key¬¬. The ability to secure and manage any asset touching the enterprise network is critical to limiting the security risk of these products and to increase the ability for organizations to manage their networks against them.

For Official Use Only

Frankly, many organizations have themselves partially to blame for these invaders from Toyland. IT departments have been quietly complicit in lulling end users in the belief that it’s okay to use work-time assets for personal use. It’s one thing to let employees take a break with a glance at the Sports Illustrated web site or a little shopping on, but businesses have no obligation to host end-users’ iTunes libraries, support their use of P2P applications to download the latest episode of 24, or help them cut their long distance bills with Skype. Furthermore, personal use of business assets can expose an organization to legal liability if these assets support employee malfeasance in their private lives.

In short, the personal computer has become all too personal and the phrase “For Official Use Only” has all but disappeared from the business lexicon. Organizations need to take back control of working assets by creating and enforcing policies that support proposition business equipment use for business purposes.

Policy-Based Controls

IT departments need to use security configuration management tools to set and enforce asset usage policies. This usually requires an agent-based approach to system management, coupled with the capabilities to gain visibility into unmanaged assets. The agent must be flexible to enable IT staffs to prescribe custom policies and robust enough to resist end-user’s efforts to defeat them. The solution must support, for example, an organization in setting a policy on a machine that will warn a user that using USB drives on it is bad security practice, violates corporate policy, or one that forbids their use all together.

Furthermore, such solutions should also provide real-time visibility as to usage policy adherence on individual machines. Whether organizations want to gently caution employees who use their disk drives as movie libraries, automatically force compliance with corporate policy, or have an administrator immediately intervene in such cases is really up to them, but putting a policy in force without the means to monitor its effectiveness does not make sense.

Protecting the Data

The evolving threat environment has also shifted the focus of the attackers from systems to data. As data has become more digitized and transient, and as more unmanaged assets take advantage of corporate network services, IT has become ineffective in protecting corporate data. A new wave of consumer devices and non-compliant applications creates an environment where protecting data from theft or breach, which results in undermining consumer and investor confidence, becomes critical to the business.

IT policy enforcement needs to extend beyond the systems themselves and encompass the data that is critical to business success. Data and information leak prevention capabilities, managed at the end-points themselves is mandatory and must be included in security configuration management and IT policy enforcement programs. Just as IT defines policies for systems management, audits their environment against these policies and then enforces policies, IT must also define polices for data, audit the environment to find critical data using content-aware technologies, and enforce data protection policies.

Consumer products are invading corporate networks and IT must implement processes and technologies to define and enforce usage policies, support security configuration baselines, enforce application control, and treat non-managed assets as hostile until proven otherwise.

Leave a Reply