Consumerization and Security: Turn Your “No” into “Yes, and Here’s How”

Ask three people what is meant by the phrase consumerization of IT, and you may get four different answers. From the enterprise’s perspective, they’ll probably include some or all of the following:

• Your end-users are using mobile devices (e.g., smart phones, tablets, PCs) that you no longer control and manage – in line with the multi-year trend towards Bring Your Own Device (BYOD)
• Your end-users are accessing, transmitting, and sharing information about the company and its customers over networks (e.g., 3G/4G, Wi-Fi) that you no longer control and manage – in line with a general expectation of any time / any location mobility, and the increasing value placed on collaboration
• Your end-users are accessing applications (managed services, cloud services, cloud-based apps, and consumer-oriented apps) that you no longer control and manage – some of which you may have evaluated and sanctioned, but many of which were selected and provisioned by the end-users themselves

This latter category of apps – low or no cost; extremely easy to find, download, install and use; and generally outside the policies and control of the IT organization – is the epitome of what the phrase consumerization of IT is all about. Left to their own devices, end-users tend to act in favor of “getting the job done” by taking advantage of free and readily available solutions – often overlooking considerations of security, privacy and compliance. Do these apps deal with the company’s confidential information? Employee, customer, student or patient data? Payment card data? Personally Identifiable Information (PII)? Protected Health Information (PHI)?

One specific example – but by no means the only one – is in the area of synching, sharing or transferring files. As of April 2014, a simple search in the iTunes AppStore using the phrase “file sharing” resulted in some 500 free or low-cost alternatives … and in the Google Play store, a similar search yielded some 250 options! In the absence of officially supported alternatives for synching / sharing files securely and in compliance with well-defined corporate policies, there are literally hundreds of options for users to get the job done – never mind email attachments, thumb drives, and other “old school” ways to move digital information.

The views expressed by a member of the security team for a professional association based in New England are still all too typical:

This is the process actively followed in my organization: until an app is evaluated by the security staff, it is not available for employee use. The app is explicitly blocked, to prevent it from being operational during the window when it is being evaluated. In my opinion it is better to block it until we can be sure it doesn’t possess any security risk to the organization.

This is truly a no-win strategy!

Sticking with the file synch / file share example, how can any security staff possibly have time to evaluate 500+ apps on multiple platforms? Even if they could, are there not more strategic tasks that the security team should be contributing to the business?

More importantly, simply saying “no” is not really an option. For most organizations, support for collaboration – which involves sharing information – is an essential business strategy. The fact that these apps are being used means that there is a business need that is not being met – this is where the IT and IT Security teams should be focused. Stop being an obstacle; start being an enabler.

Some of the basic building blocks for getting ahead of the consumerization of IT train, using file synch / file sharing as an example:

• Align IT and IT Security with the needs of the business – understand what the end-users are trying to achieve, and why; remember that the objective is to support the business within its appetite for risk, not to enforce the best available security
• Provide an officially supported solution – support the end-users with the tools they need, based on a balance of productivity, risk and total cost
• Establish consistent policies for file sharing, including inbound, outbound, and internal to the organization – as part of an overall approach to safeguarding sensitive data
• Invest in ongoing awareness and education for end-users – they should be made fully aware of, and accountable for, their responsibilities for protecting the organization’s sensitive data

Finally, measuring and monitoring all file movement activity will help you to find and eliminate the root causes for exceptions – whether by enforcing your policies, or by evolving your policies and solutions as appropriate as the needs of the business change.

For more on this topic, read more research reports at Aberdeen’s IT Security practice page.