Consumerisation: dealing with the rain cloud before it becomes a stormThe much-talked-about consumerisation trend throws up a classic information security dilemma. Should security professionals lock down or prohibit the use in the workplace of increasingly ubiquitous consumer devices such as PDAs, netbooks and smartphones (such as Apple’s iPhone)? Or should they ensure that such devices are as easy as possible to use in order to avoid employees simply finding ways to bypass any controls put in place?
One of the key problems with adopting the former stance is that consumer gadgets can help to boost staff productivity and are, therefore, of potential value to the business. This is due, in part, to a shift in traditional working patterns and a progressive blurring of the boundaries between work and leisure time– which in turn are the result of faster networks and the increasingly widespread deployment of the technologies required to support flexible and remote working.
This phenomenon, coupled with the availability of more and more cleverly marketed gadgets and applications, means that everyone from staff to senior management is now looking at how technology can be employed to improve lifestyles both inside and outside the work environment. And people increasingly expect to be able to use the same technology in both worlds.
This trend is particularly marked among those organisations with highly mobile or highly IT-literate workforces, but it seems unlikely to slow down or lose momentum any time soon – no matter what the industry or sector may be. History tells us, in fact, that it is only likely to accelerate – and mutate.
“Technology has moved to the communications level, the pressure has turned up a notch. It’s highly useful from a productivity point of view, but the dangers are also very real and present”
For some years, security departments have been dealing with the threat posed by consumer devices in the shape of personal media devices such as USB sticks and MP3 players (which are, in effect, highly portable disk drives). But the problem now is that such technology has moved beyond simply offering storage to providing more potentially dangerous two-way communications capabilities.
Mark Carter, lead partner at Deloitte UK’s security practice, explains: “As technology has moved to the communications level, the pressure has turned up a notch. It’s highly useful from a productivity point of view, but the dangers are also very real and present.”
The biggest of these threats are information leakage and data loss. This is because personnel often use their devices as partial laptop replacements without applying the same security disciplines that they normally would to corporate PCs.
“The security awareness developed over the last 15 years with laptops isn’t being applied to smartphones and the like,” explains Garry Sidaway, director of security strategy at service provider Integralis. “They’re just seen as convenient devices and aren’t considered insecure, so they’re not treated in the same way.”
Like their laptop cousins, however, these smaller devices are particularly vulnerable to potential loss or theft, which could lead to significant data breaches.
“Individuals just see smartphones as personal devices and don’t think of them as a business tool,” says Sidaway. “But the criminal world is starting to understand the huge amount of data that they could access by getting hold of them and so is beginning to see them in a different way.”
Another potential smartphone risk, although relatively minor at the moment, is the age-old issue of malware. While malicious code to date has done little more than reboot or reset device features in some way, or run up annoyingly large phone bills, history again tells us that such programs are likely to be the forerunners of other, much more dangerous, exploits.
Low levels of consumerisation
Interestingly, despite the widespread concern and high levels of staff interest in using their consumer gadgets in both a home and work context, a mere 11% of information workers currently do so in the UK and only about 14% in North America, according to Forrester Research.
Such figures do not include Research in Motion’s BlackBerry device, however, which was built from the ground up as a secure enterprise offering and is the most likely to be supported at the corporate level.
Deloitte’s Carter explains the reason behind the seemingly low usage of consumer offerings to date: “People aren’t using consumer devices as much as expected due to the risk concerns. There is a very limited number or organisations I know that allow staff to use some of the newer devices.”
The issue here is that personnel cannot unilaterally opt to use their gadgets to access business applications, such as email. Instead the corporate infrastructure has to be enabled to support them, which means that the status quo has prevailed more or less unchanged until now as security functions evaluate the best approach to tackling the matter.
However, a key problem here is that consumerisation is putting many information security professionals into something of a cleft stick. On the one hand, their traditional role has been defined as managing risk as effectively as possible and ensuring that the organisation’s information assets are secure. But a second, increasingly important function is that of enabling the business to use new technology safely so that it can operate as costeffectively and nimbly as possible.
A big challenge, therefore, is how to achieve the latter without compromising the former.
“If someone comes into the office with an iPad containing information from a former employer and uploads it into your system, you’ll be tainted with that. If their former employer finds out, they’ll go after them and – potentially – you”
The risks of prohibition
Until this dilemma is sorted out, a lot of companies are still prohibiting the use of consumer technology in the workplace – despite pressure from senior managers to find solutions to the problem. But such a situation cannot continue for ever, believes Deloitte’s Carter. In his view, consumerisation is here to stay, which means that “the idea of organisations being able to stick their head in the sand just won’t work”.
This is not least due to the very real danger that employees and contractors will simply look for ways to bypass corporate security controls in order to use their preferred technology. For example, users are often not keen on the idea of carrying both a corporate BlackBerry and a consumer device such as an Apple iPad around with them and so are likely to simply start forwarding emails from one to the other.
Such a situation not only increases the risk of data loss, but also means that organisations can find themselves potentially in breach of Data Protection Act stipulations around safeguarding confidential data.
Other classic concerns relate to sacked or otherwise disgruntled staff using consumer gadgets to siphon off sensitive information for potential commercial gain or for use by a new employer. And there are similar risks involved with inbound information.
Ann Bevitt, a partner at lawyers Morrison & Foerster, explains: “If someone comes into the office with an iPad containing information from a former employer and uploads it into your system, you’ll be tainted with that. If their former employer finds out, they’ll go after them and – potentially – you, and you may face allegations of inducing them.”
Snooping requires consent
This means that employers face risks from both ends, even if such risks have yet to be tested in court. But simply snooping on users’ electronic activity without prior consent is also not permissible and risks breaching both the Data Protection Act and certain facets of employment legislation, says Bevitt.
“You have to process data fairly and lawfully so you’ve got to have a legal basis for snooping on staff and seeing what they’re doing with their devices because there’s a fair chance there’ll be some personal data on them, whether it’s theirs or their clients’,” Bevitt explains.
To get around the issue, it is necessary to obtain broad consent from employees when they join that the organisation can monitor their electronic communications in order to ensure that they are complying with company policies. To undertake more covert activity, however, it is necessary to undertake what the UK’s Information Commissioner calls an impact assessment, which includes a rationale for such action.
As part of this assessment, staff must be given notice that their employer wishes to monitor their electronic activity, which must also be undertaken in the least intrusive way possible. For example, if work emails are sent to a personal address, items such as attachments, file headers and file size all have to be taken into account before a message is opened in case it contains sensitive personal information.
Instead of simply prohibiting the use of consumer gadgets altogether, however, some organisations are now starting to embrace one of two models, according to Benjamin Grey, a senior analyst at Forrester Research.
The first approach involves making staff personally liable for their own equipment. Although not widespread, this situation entails allowing personnel to buy their own hardware and, depending on their role, permitting them to charge some voice calls or data services usage back to expenses.
The second option is to assume corporate liability for the procurement and management of consumer devices. This approach is most common among large organisations as it cuts down on management issues and the amount of work involved in ensuring that all IT equipment complies with relevant polices.
Laying the management foundations
Before going down either of these routes, however, it is crucial that security functions talk to the business about its requirements and how it sees consumer technology being used both now and in the future. The next step is to undertake a risk assessment to understand where potential threats lie and how they can best be mitigated.
From a technology controls point of view, there are various options – although the focus, as ever, should be on assuming a multi-layered, defence-in-depth approach.
The first possibility is to create a Demilitarised Zone (DMZ) in order to segment consumer devices from the rest of the corporate network. The DMZ should be constantly monitored using intrusion detection/prevention systems to spot unusual behaviour based on user profiles so that action can be taken to lock them out of the network if necessary.
A smartphone domain should also be set up if you want limited access to only certain prescribed applications. Again, you should monitor this rigorously, not least because, unlike laptops, such devices appear as anonymous to the network. Unlike PCs, they are not assigned a name but simply appear as ‘Smartphone 1’ or ‘Smartphone 2’, which makes it difficult to know who is doing what and whether they should be doing it in the first place.
“If a determined person wants in, they’ll find a way, so the role of the security function is to look for, and act, on dodgy behaviour”
To safeguard the network still further, access should only be given to authorised users via Virtual Private Networks (VPNs) and access tokens that are tied to them rather than their gadgets.
Steve Adegbite, chair of the Forum of Incident Response and Security Teams (FIRST), explains: “You need to do a lot of work around authentication, but all of this isn’t a panacea. It takes away 85% of the problem, but it’s all just speed bumps and barriers. If a determined person wants in, they’ll find a way, so the role of the security function is to look for and act on dodgy behaviour.”
Mobile management systems
Another potential tack for those taking what Forrester’s Grey describes as a ‘corporate-liable’ approach is to implement one of the mobile management systems being sold by vendors such as Sybase, Goode Technologies and MobileIron.
While many organisations have already deployed management platforms for their BlackBerry estate, and are unlikely to simply throw such devices away in favour of their consumer-focused cousins any time soon, these offerings are intended to act as a complement rather than a replacement.
As such, they enable administrators to undertake activities such as configuration and applications management, asset inventory and reporting, as well as enforcing password and other security policies. Data can also be wiped remotely if gadgets are lost or stolen and devices can be locked down after a given length of time or too many authentication attempts.
Although not widely deployed at the moment, the software – forecasts Forrester’s Grey – will start moving into mainstream adoption mode over the next 12 to 24 months. While currently “pretty basic stuff”, he says, it would nonetheless “meet the vast majority of organisations’ needs worldwide – even those in the most heavily regulated industries such as healthcare.”
Over the next two to three years, Grey expects additional services such as location-based asset tracking for sectors such as transport and logistics to be added, as well as telecoms expense management.
Changing policy requirements
As always, simply shoving enforcement technology in and hoping for the best is far from a total solution. Another important consideration relates to how corporate data is handled in a general sense. This involves defining both what it is as well as its value, understanding how it is employed and coming up with acceptable usage policies on that basis.
“Consumerisation is an irrepressible force and it’s one that will simply have to be dealt with, so it’s no good burying your head in the sand”
The dissemination of such policies also needs to be backed up with training and awareness campaigns, particularly among high-risk staff categories. Some organisations are already moving away from a onesize- fits-all approach, and are instead devising mobile policies based on job role and the type of data that they use.
Grey explains: “For users of basic email and calendaring, they might enforce a password, and hardware and application encryption, but for information workers in more heavily regulated industries, they could prohibit downloads from third-party application stores, block cameras and turn off screen-capture features. It’s about taking mobile policies and tailoring them to the needs of the individual.”
One thing that is certain, however, is that the requirement for such measures will not go away. As Deloitte’s Carter concludes: “We expect to see a continuing and increasing use of multiple mobile computing devices in a work context. Consumerisation is an irrepressible force and it’s one that will simply have to be dealt with, so it’s no good burying your head in the sand.”