Like the old adage that ‘he who rides a tiger is afraid to dismount,’ enterprises today are bounding along on the back of a particularly large and fearsome tiger. It’s called “consumer technology” and its shape is outlined by the myriad of devices and services that modern information workers are bringing to work and using – or want to use – to get their jobs done.
Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.
“The reality is that all of these home-brewed devices connecting to corporate resources make the already impossible job of securing data even harder,” says Mike Rothman, analyst and president at security research firm Securosis. Tools that can manage a menagerie of traditional desktops, laptops and servers as well as new, late model consumer devices don’t yet exist.
At the same time, there’s often political pressure to allow the new devices onto the network. “Most security folks are not in a position to tell their senior folks and rainmakers that they can’t use their iPhone or iPad or any other consumer oriented device on the job,” Rothman said.The trend is not just about devices, either. It includes online and cloud-based services that are out of the reach of the IT department’s control. Corporate data – too often proprietary or otherwise sensitive data that needs to be protected – ends up scattered across many online services. Research firm Gartner estimates that 20 percent of employees will be using social networks as their hub for business communications by 2014.
Another potential claw in the tiger is data security and privacy regulations – many of which were written before the era of powerful, Internet connected mobile devices. The impact of those devices within enterprises on regulatory compliance is still being worked out. But newer laws like Massachusetts’ data privacy law, 201 CMR 17 make the need to secure data on mobile devices explicit. “Many of these devices are being used to access protected information, and thus they fall under the compliance mandates,” says Rothman. “While tools like the iPhone and iPad are using stronger security, and will likely pass muster with the regulators, it’s not clear that there is a lot of precedence yet for how auditors will be treating these devices,” he says.
For security, or regulatory reasons, organizations that have tried to control which consumer devices and cloud-based services enter their network have realized only limited successes.
“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”
If there’s no way to turn the clock back to the days of solid, centralized enterprise IT control and no easy solution for weaving consumer devices into the enterprise IT fabric, what’s a company to do?
Securosis’ Rothman advises companies to focus on security basics – like building walls. “Figure out the data that’s important to your organization and where it is. Segment that data and make sure there’s no leaking. If the network and applications are segmented to prevent access from these devices, that goes a long way toward making sure there aren’t security issues,” he says.
Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation. “It becomes more about isolating data to those who actually need it,” Corman says. Other necessary changes may be personal and political, rather than technological. Rothman says IT should fight for the authority to mandate specific device configurations for consumer devices. “That goes a long way toward making sure data doesn’t leak from those devices.”
But that kind of centralized device management is hard to do when the enterprise management capabilities of smart phones (with the exception of BlackBerry) still leave a lot to be desired, Rothman said.
After technological controls, sound policy is the enterprise’s next line of defense. “Instead of trying to completely stop people from using the services they want, create policies about how they use these tools to mitigate putting data at risk,” says Corman. “Make sure they’re aware that some information can’t be stored outside IT’s control, and that certain things about the organization are off limits of discussion in forums such as Facebook and Twitter.”
None of these security controls are fail-safe, but taking these steps will go much further to mitigating risk than doing nothing. And, the reality is, it’s the best that security managers can do until enterprise class security and system management tools mature enough to effectively manage all of these new devices and online services.
_George V. Hulme is a Minneapolis-based independent writer with a sharp focus on IT security and technology. _