Setting Effective Security Policies in a Consumerized IT Environment
"Consumerization" is the latest buzzword in the IT world. It refers to the increasing reversal of the technology adoption flow, which for many years began in the enterprise and then "trickled down" to small businesses and then consumers. Today many technologies get their start in the consumer market and then "trickle up" into the enterprise. The iPhone is a prime example; social networking is another. Tight IT budgets due to a weak economy and entry into the workforce of younger workers who want to bring their technologies to work with them have combined into a "perfect storm" that has resulted in many more consumer devices and software on the company network. To read more about how "Generation Y" has influenced this trend, see my editorial in the WXPNews newsletter on The Consumerization of IT.
While this trend has its advantages - including cost savings to the company when employees buy their own devices, along with greater job satisfaction (which, in the best case scenario, translates to greater productivity) among younger workers, it also presents a potential security nightmare for IT administrators. Not only does it mean having to support, to some degree, a plethora of different products (at least insofar as getting them connected to the corporate network) but it also means ensuring that those employee-owned devices don't introduce viruses and malware or become vectors of attacks directed toward company resources.
This makes for a challenge in developing effective policies that allow for flexibility without compromising security, and that's what we'll be addressing in this article.
Categorizing Consumerization Concerns
Security concerns in regard to IT consumerization fall into two broad categories:
- Security threats presented by consumer applications (usually web applications such as social networking sites and web mail) used by employees on company-owned computers.
- Security threats presented by consumer devices (laptops, smart phones, tablets/slates) owned by employees but used to connect to the corporate network.
In both cases, there is a very simple and seemingly obvious solution: ban the consumer technology completion. Don't allow workers to visit social networking sites or other non-work web sites. Don't allow employees to connect their own devices to the corporate network. This is relatively easy to accomplish with web filtering software, mandatory device authentication and other technological controls.
However, an outright ban on consumer technology in the workplace is becoming impractical in today's mobile business world.
As far back as 2007, consumerization was raising security red flags as the inevitability of the trend was being recognized. "Although consumer technologies create new risks for the enterprise, eliminating their use is increasingly difficult and impractical"- Rich Mogull Gartner
Once upon a time, companies supplied smart phones only to key personnel in management and IT. Now many employees buy their own, and they want to be able to get their work email on their phones. They have their own laptops and they want to be able to connect to the company network and revise a document or even access their work desktop from home or a hotel room. But it's not just about what employees want; some companies have discovered that allowing that access makes most workers more productive, and that's good for the company's bottom line.
Likewise, when the social networking phenomenon first emerged, many businesses prohibited employees from visiting those sites on company time/machines. Today, however, social networking is becoming a vital business tool that's used for connecting with current and potential customers, disseminating information about the company and even communication with colleagues within the company. Again, some businesses have found that rather than being a time-waster, social networking is actually benefitting the company and getting its message out to the online community.
Let's clarify an important point; This article's focus is only the security issues surrounding consumer technology in the workplace. I will not discuss in any detail the productivity pros and cons of allowing that technology. I recognize that there are arguments on both sides.
Defining the Threats and Assessing the Risk
The first steps in developing any security policy are to define the potential threats and then assess the risk (the probability that those threats will actually occur and the impact/cost if they do).
Let's look at some of the threats associated with allowing consumer technologies on the corporate network:
- Introduction of viruses and other malware that can bring down the network, allow an attacker to control computers on the network (individually or as part of a botnet), steal information from company servers or accomplish other malicious acts.
- Leakage of company data that is stored on a consumer device when the device is stolen, lost or otherwise accessed by someone outside the family.
- Divulgence of company information from inside the corporate network via consumer technologies such as web mail, instant messaging, VoIP, blogging services and social networks.
Viruses and malware can be introduced via either category of consumerization. An employee-owned device can be infected when the employee uses it to connect to a less secure home network, a public wi-fi hotspot or other network and then when it's reconnected to the corporate network, the malicious software can infect other machines on that network. Malware can also, less frequently, infect the consumer device via an infected removable storage device (USB key, flash memory card), or be transferred when the user syncs a device such as a smart phone with his/her home computer that's been infected.
Malware can also come directly to company computers from consumer-oriented web sites such as social networking sites, either when users access third party applications that are associated with the sites or when they click on posted links that take them to malicious web sites.
Zero Day threats (those that are too new for malware definitions or patches to have been issued) are the biggest threat here, since the corporate computers would have malware protection.
Leakage of company data can happen in similar ways. After it's downloaded to a consumer device, it can be exposed via malware or accessed in a hack attack. It might be stored on the device's removable memory card (which can be stolen instead of taking the device itself), or the data on the device might be inadvertently uploaded to the user's home computer via the sync process and compromised there. Or, of course, the entire device could be lost or stolen. Millions of cell phones and laptops are reported lost or stolen every year.
Employees frequently use their web mail accounts (Gmail, Hotmail, Yahoo, etc.) and instant messaging from work for their personal communications and also, importantly, to email files to themselves to work on at home. Traditional corporate email security solutions don't address these web services. Malware can be distributed through these channels, so companies should deploy web security gateways that can detect and filter out malicious inbound traffic, scripts, P2P applications (if not allowed by policy), and so forth.
Understanding the threats and assessing the risks will help guide you in setting realistic and enforceable policies. Some key issues that should be considered in developing security policies in a mobile, consumerized environment include:
- Mandatory encryption of any company data stored on employee-owned devices.
- Mandatory encryption of communications in transit between employee-owned devices and the company network via VPN, DirectAccess, etc.
- Mobile devices used for business should have the capability of being remotely wiped.
- Health checks of laptops connecting to the corporate network, via Network Access Protection (NAP) or Network Access Control (NAC) to ensure that they meet company standards as to virus protection, firewall, service packs/security updates and so forth.
- Enforced sync parsing/protocol filtering and content filtering (DeviceLock) to control what types of data users can synchronize between their mobile devices and company computers.
- A virtual desktop infrastructure whereby virtualized operating systems and/or applications are delivered to employee-owned laptops for work purposes, allowing the company to control the hosted image and isolate it from the local operating system on the laptop.
- Policies that specify what consumer software can be used on corporate computers (for example, social networking web sites vs. iTunes, multi-player games or personal VoIP accounts such as Skype) and enforcement of those policies with Software Restrictions Policy.
- Use of agent-based security configuration management tools to enforce usage policies.
- Develop a comprehensive usage policy that addresses employee use of social networking
In a later article, I will go into the detail about how to create a good social networking policy.
The bottom line: first become familiar with the threats posed by various consumer devices and technologies. Then determine which consumer technologies should be allowed. Next, devise guidelines for how those technologies can be used. Put the policy in writing, educate users about it, and use technological controls to enforce it where possible. The consumerization of IT is a trend that shows no signs of slowing down any time soon, so ignoring the security implications is not a viable option.