If you’re in the IT industry and haven’t been hiding under a rock for the last decade, you probably got tired of hearing the phrase “the consumerization of IT”. As with most buzzwords, during the early years consumerization was touted, few organizations faced a real challenge from employee demands to use consumer devices and services – which mostly centered around using a personally owned laptop or home desktop for work purposes.
But as we all we know, the rapid rise of smartphones, tablets and popular consumer services such as Dropbox, Evernote and others, consumerization is now a big challenge that most organizations have taken steps or are planning to address. In fact, the word consumerization has been replaced by newer buzzwords, or buzz-acronyms such as BYOD and MDM to describe problems or solutions that deal with control of consumer technology.
From a security perspective, most consumer devices and services leave much to be desired. The recent Evernote breach is the most recent example of highly popular service that was compromised. Do you think your employees only take down personal notes using Evernote? Do you have any doubt that users share passwords across consumer services and your organization’s resources?
The tools at the disposal of security professionals for dealing with consumerization are quite limited and include:
• Block it – the age-old security pro favorite. We have lost the battle when it comes to banning smartphones and tablets, but blocking specific web-based services (Dropbox for example) is still common practice and can make sense based on your business. Next-Generation firewalls or Web Proxies are the tools being used the most often to control the use of these services – but you still need to pay attention. One firewall vendor recently changed the categorization of Evernote to “productivity” applications. This is a valid classification of course, but if you’re not paying attention to this change in the NGFW, you may have allowed Evernote through the back door without knowing or intending.
• Wrap it – this is mostly relevant for physical devices and not web services. The hot MDM market is a good case in point of technologies that “wrap around” consumer devices to provide more enterprise level security such as encryption, authentication, provisioning etc.
• Allow it (and pray) – Sometimes you just have to take the plunge (security is being forced to say yes more often these days) and allow a consumer service for business use. Do you know it’s secure enough? Probably not, which is why praying never hurts… but if you’re security pro and are resorting to prayer, you will not be in this market for very long. So this brings me to my main point about “enterprization”.
So enterprization is not really a word (by the way neither is consumerization – I checked – http://www.merriam-webster.com/dictionary/consumerization), but I think the security industry, and the world in general, could benefit from accepted standards on what constitutes enterprise-grade security. At the very least this should include:
• Two-Factor Authentication – absolutely mandatory for online services (and kudos to Evernote for committing to add two-factor authentication following the recent breach). It is also certainly an option for devices, taking a page from the ThinkPad’s signature finger swiping mechanism.
• Encryption of Data-at-Rest – perhaps coupled with database monitoring solutions and other technology that can protect users’ data.
• Agreed Upon Network Security Controls – which include firewalls, IPS, advanced malware detection, etc.
As with any standard, the key question is who would define and promote such a standard? For hardware devices, I think the Trusted Computing Group has the capability to do interesting things, and certainly has a long list of blue chip members. I am not aware of a similar movement for software services, but we have seen examples such as the PCI Council, where capable bodies can form and enforce a standard to protect confidential information.
Until “enterprization” standards emerge, organizations would be wise to develop their own list (“standard on the fly” if you will) and enforce them.
