Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

User-Driven IT – Latest Security Threat?

In a trend that mirrors the invasion of the corporate world in the 1980’s by personal computers, today’s employees are beginning to use consumer-oriented technology like the iPhone and Facebook to do business – and this means stress and trouble for IT security professionals.

consumerization and user-driven IT in the Enterprise

In a trend that mirrors the invasion of the corporate world in the 1980’s by personal computers, today’s employees are beginning to use consumer-oriented technology like the iPhone and Facebook to do business – and this means stress and trouble for IT security professionals.

consumerization and user-driven IT in the Enterprise

According to a new report issued by RSA, the Security Division of EMC, the traditional model where IT controls the technological underpinnings of business processes is “quickly crumbling.” In the new model, users have a say in the technology tools that will be available to them for business purposes, and many of these tools are the ones they are already using in their personal lives.

This trend, variously referred to as consumerization and user-driven IT, is seen as inevitable by the Security for Business Innovation Council, a group of Global 1000 security executives assembled by RSA to analyze IT trends. Statistics from recent RSA-sponsored surveys support this view.

• 76 percent of security and IT leaders believe user influence on device and application purchase decisions is on the rise.

• More than 60 percent of respondents report that users have some input regarding the types of smartphones purchased, with 20 percent reporting that they let users decide.

• Nearly 60 percent also said that unauthorized connections to the corporate network occur in spite of efforts to prevent them

• Ominously, 23 percent of the largest organizations surveyed have experienced a serious breach or incident because of a personal device on the corporate network.

“IT security teams will never be able to stop the pace,” says Dr. Claudia Natanson, Chief Information Security Officer at Diageo. “Technology is on a roll.”

Advertisement. Scroll to continue reading.

For IT security, one of the most important keys to successfully negotiating the transformation of the corporate IT landscape is to accept that change is on its way and not be in denial. “There’s a head-on collision coming between our personal and professional lives,” says Denise Wood, Chief Information Security Officer for FedEx, “and it is consumer technology that is going to cause it. Information security needs to be the advocate for a more engineered journey into this integrated place.”

Responding with Technology

Beyond philosophical acceptance, there are a number of specific technology issues IT security groups will need to investigate. For starters, it’s likely that IT security need to will focus more tightly on applications and data, and less on the protection of perimeters that are becoming difficult or impossible to define.

Virtualization and thin computing could become more important than ever. According to Roland Cloutier, Chief Security Officer for Automatic Data Processing, “A big security fear with choice [user-driven] computing is: what if data gets on a device, the device gets stolen and that data’s now in the open? Virtualization of the user environment makes a lot of the concerns a moot point. through virtualization, users can do their work but not actually be touching the data.”

Other potential technology developments focus on authentication. New methods might authenticate devices as well as users, or check devices for malicious code prior to granting network access.

As reported earlier by SecurityWeek, Apple’s iPhone4 and iOS4 have added several key security features to make them more attractive to corporate IT organizations. These include remote wipe, new data protection and encryption functions, mobile device management and SSL VPN support.

Is Facebook Your Friend?

The use of networks like Facebook, Twitter and LinkedIn poses a separate class of security conundrums. According to the RSA report, more than 80 percent of companies now allow some form of access to social networking sites, and of those companies, 62 percent are already using it as a vehicle for external communication with customers and partners. But 36 percent of users have been sent malware via social networking sites.

Besides providing access to potential hackers, social networks could create a difficult legal maze for corporations that utilize them for business purposes. What if a court case involves a transaction where the negotiations took place on Facebook? If Facebook has the data, how will the parties involved retrieve it?

Denise Wood of FedEx says, “You worry about idea ownership; because social networking is inherently outside the management and governance structures that we use in our day-to-day work life. By definition, it gets you beyond a comfort zone. So then it comes down to, Who owns the ideas?”

This is just one of many questions corporations are going to have to deal with, and there’s no avoiding it. If Gartner is correct, by 2014 social networking will have replaced e-mail as the primary means of business communication for 20 percent of all business users.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...