In a recent conversation it was suggested to me that ‘consumerisation' was now one of the driving forces of IT security.
The concept basically sits in the idea that consumer devices are driving decisions on IT purchasing, all the while driving IT managers up the wall as they try to provide and network them.
Leif-Olof Wallin, research vice president at Gartner, claimed that he had received many questions at a recent conference on how to safely extend corporate email to Apple iPhone and Apple iPad in particular.
“This is just the first wave of devices, there are lots of other manufacturers and platforms that are entering the market just in time for Christmas so expect the market to get increasingly fragmented in 2011,” he said.
He said that in short, there are a number of different implementation strategies that can be used, each with pros and cons. These include: to allow nothing to be installed on the device and nothing downloaded to the device; to use the native capabilities in email products such as MSFT Exchange with ActiveSync or IBM Lotus Notes with Notes Traveler; to allow native capabilities in the email server in combination with a lightweight mobile agent with server side control; or to permit wireless email gateway products with strong IT policies support or native capabilities in email server complemented by mobile device management (MDM) tools.
He said: “In order not to jeopardise information security and privacy, organisations need to put frameworks and policies in place to appropriately manage their usage scenarios. This usually also includes putting a process in place to manage exceptions for non-standard equipment.”
In agreement with this approach was Graham Titterington, principal analyst at Ovum. He said that when an employee is using their own devices some businesses will say you can do it, while some will have blanket access to email, so it is at arms length even if it is allowed.
The person who planted the seed of the consumerisation of IT was James Lyne, senior technologist at Sophos. He said that it was a ‘sliding scale as a theme', as it can measure impact and preferences to drive workplace technology decisions but at the same time as people bring devices to work and use them for work purposes, there can be an element of giving up control.
I asked him if this sort of activity could lead to a data trail nightmare? He said: “IT teams are losing the ability to say no to users and say if they do not allow iPads and iPhones, they will lose ability to hire and that could have a catastrophic impact.
“IT information becomes difficult to manage and the only thing that works is the internet. The general trade is ‘IT admin says no', so how do you manage the development and best practise because if you do not allow technology in to learn the lessons now you may have users doing it anyway. If security is not included you will be excluded.”
For a CISO perspective, I talked to Paul Kennedy, security and compliance leader at the University of Nottingham. He had recently implemented log management technology from LogRhythm and said that one of the benefits was the ability to track what was connecting to the network.
He said that there is not a policy on the connection of mobile devices, as that cuts out what can and cannot connect, although there is a policy on how to secure devices.
“For staff it is a BlackBerry and all will be connected to the system, there will be those who do not require managing and bring their own devices and we need to support what is used on the devices on the network and every student will arrive with a mobile phone, usually a smartphone and there are more and more users that want to connect,” he said.
“On the student network we have network access control from Bradford Networks so they can log in on their own laptops and every year 9,000 new laptops connect to our network, so we have new unseen devices and it is quite a challenge to recognise who they are.
“We do security checks so it relieves the risk that someone could bring in. With a student network we are getting to a stage where there are untrusted devices on campus, so in time we will be looking for a transition from network access control from the student network to the campus network to support those devices. We are looking at projects and how to support it and we are looking to support the widest range of devices.”
I turned to the security industry to gauge what the perspective was on the challenge of consumerisation. John Livingston, CEO of Absolute Software, said that he recognised the issue for the IT manager of having 1,000 devices, yet needing a digital tether.
He said: “Gartner says that the ‘dam is broken' and you need to try and support the iPad and iPhone. Consumerisation is huge, Gartner says what are you doing with Apple? You cannot stop them and cannot keep your finger in the dam, it is all about consumerisation and you have an opportunity to layer.”
Jamie Cowper, principal product marketing manager for encryption and data loss prevention at Symantec, told SC Magazine that he believed that the challenge is that the demand usually comes in from the top down, so even if a company has a policy it is not that easy to enforce if a senior executive wants access to corporate email.
“Look at the different smartphones, some are very secure like the BlackBerry, while others are focused more on functionality and perhaps are more driven for consumer, but they are coming into the office so how level is the playing field for the use of these tools?
“What is the baseline? Is it the ability to securely wipe the device remotely or is it a strong passcode or is it encryption? Each organisation has to figure this out and it is what companies are thinking about. An older model is not practical and is hard to standardise, companies also see it as a talent recruit model as they expect to use these devices at work. So how does the CISO come up with an approach to deal with this today but is flexible enough to expand to whatever the cool phone will be in two years? You are always playing catch up with devices, the device and application are important but you have got to think beyond that as that is always going to change.”
As we look back on 2010 and forward to 2011, it is fair to say that the challenge of managing devices will be prevalent for IT managers across the land. There is the argument that employees are able to be more productive out of office hours, but are offering a data risk on a plate.
Whichever way you go, it would pay to be prepared for the capability of new devices and be aware of what that hot new device under the Christmas tree will be.