In a trend that mirrors the invasion of the corporate world in the 1980’s by personal computers, today’s employees are beginning to use consumer-oriented technology like the iPhone and Facebook to do business – and this means stress and trouble for IT security professionals.
According to a new report issued by RSA, the Security Division of EMC, the traditional model where IT controls the technological underpinnings of business processes is “quickly crumbling.” In the new model, users have a say in the technology tools that will be available to them for business purposes, and many of these tools are the ones they are already using in their personal lives.
This trend, variously referred to as consumerization and user-driven IT, is seen as inevitable by the Security for Business Innovation Council, a group of Global 1000 security executives assembled by RSA to analyze IT trends. Statistics from recent RSA-sponsored surveys support this view.
• 76 percent of security and IT leaders believe user influence on device and application purchase decisions is on the rise.
• More than 60 percent of respondents report that users have some input regarding the types of smartphones purchased, with 20 percent reporting that they let users decide.
• Nearly 60 percent also said that unauthorized connections to the corporate network occur in spite of efforts to prevent them
• Ominously, 23 percent of the largest organizations surveyed have experienced a serious breach or incident because of a personal device on the corporate network.
“IT security teams will never be able to stop the pace,” says Dr. Claudia Natanson, Chief Information Security Officer at Diageo. “Technology is on a roll.”
For IT security, one of the most important keys to successfully negotiating the transformation of the corporate IT landscape is to accept that change is on its way and not be in denial. “There’s a head-on collision coming between our personal and professional lives,” says Denise Wood, Chief Information Security Officer for FedEx, “and it is consumer technology that is going to cause it. Information security needs to be the advocate for a more engineered journey into this integrated place.”
Responding with Technology
Beyond philosophical acceptance, there are a number of specific technology issues IT security groups will need to investigate. For starters, it’s likely that IT security need to will focus more tightly on applications and data, and less on the protection of perimeters that are becoming difficult or impossible to define.
Virtualization and thin computing could become more important than ever. According to Roland Cloutier, Chief Security Officer for Automatic Data Processing, “A big security fear with choice [user-driven] computing is: what if data gets on a device, the device gets stolen and that data’s now in the open? Virtualization of the user environment makes a lot of the concerns a moot point. through virtualization, users can do their work but not actually be touching the data.”
Other potential technology developments focus on authentication. New methods might authenticate devices as well as users, or check devices for malicious code prior to granting network access.
As reported earlier by SecurityWeek, Apple’s iPhone4 and iOS4 have added several key security features to make them more attractive to corporate IT organizations. These include remote wipe, new data protection and encryption functions, mobile device management and SSL VPN support.
Is Facebook Your Friend?
The use of networks like Facebook, Twitter and LinkedIn poses a separate class of security conundrums. According to the RSA report, more than 80 percent of companies now allow some form of access to social networking sites, and of those companies, 62 percent are already using it as a vehicle for external communication with customers and partners. But 36 percent of users have been sent malware via social networking sites.
Besides providing access to potential hackers, social networks could create a difficult legal maze for corporations that utilize them for business purposes. What if a court case involves a transaction where the negotiations took place on Facebook? If Facebook has the data, how will the parties involved retrieve it?
Denise Wood of FedEx says, “You worry about idea ownership; because social networking is inherently outside the management and governance structures that we use in our day-to-day work life. By definition, it gets you beyond a comfort zone. So then it comes down to, Who owns the ideas?”
This is just one of many questions corporations are going to have to deal with, and there’s no avoiding it. If Gartner is correct, by 2014 social networking will have replaced e-mail as the primary means of business communication for 20 percent of all business users.