Addressing the Consumerization of IT

Written by

Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us that it is not part of their strategy; some tell us that they plan to do it but that they have a hard time figuring out, how to secure such an environment; very, very few customers tell us that they have this under control.

What Is it All About?

For me, the trend really started to take off with smartphones. Most companies tried to standardize the models, but at the end of the day it was a lost battle for different reasons:

  • The standardization process was always slower than the development of new devices.
  • These devices were cool. Therefore the CEO bought a new one in the store around the corner and then came back to IT to enable it to read mails etc. If the CEO wants it, who pushes back?
  • Different people have different needs. Do they all need the same device?

Based on this, a few companies tried a different approach: They gave selected people money instead of hardware and let them choose themselves. The idea behind it is fairly simple: We typically publish a “one-size-fits-all” image and do not take into consideration that IT-literate people might be more productive if they are able to customize their environment the way they want – as long as they follow certain policies.

Over the course of the last few years, the problem became much bigger as a lot of different form factors hit the streets: from iPhone to iPads, from netbooks to developer notebooks to slates etc.

The Challenge

Once we accept that there are different needs and that this might (or better: will) help some users to be more productive, the next question then is: How do we enable access to our company data without compromising security, privacy and compliance? And what do we do if somebody leaves the company? How can we delete our company data/contacts/mails and keep the user’s private environment in place? … and a lot more.

And, by the way, the user wants access anytime and anywhere.

Unfortunately there are no silver bullets but some ideas and approaches. We just published the Consumerization of IT Test Lab Guides, which can help do address some of your challenges or at least give you some food for thought. Here is the description of the papers:

While Consumerization of IT (CoIT) has remarkable potential for improving collaboration and productivity, many companies are grappling with the potentially enormous security risks of introducing consumer technologies in their IT environment. Therefore, IT needs to strike a balance between user expectations and enterprise requirements for security, privacy, control, and compliance.

The Consumerization of IT (CoIT) series of documents comprises the following documents :

  • A white paper entitled Consumerization of IT (CoIT), A Trend To Be Considered that introduces as its name indicates the topic;
  • Test Lab Guides (TLGs) that allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration for the most frequent and relevant CoIT scenarios. Each of these guides also covers how to test and demo each capability.

Different scenarios are covered:

  1. Base Configuration - Provide secure corporate network access
  2. Internet Proxy - Provide Internet access
  3. Exchange Messaging - Provide email access and manage non-corporate devices security policies
  4. Data Protection - Manage email security
  5. Data Classification and Server Isolation - Manage sensitive server and application security
  6. Remote Desktop Services Desktop Virtualization - Deliver applications to any devices
  7. Remote Access Gateway - Secure remote access

I think that this is something you definitely should look into as it gives you approaches and guidance, how to align your architecture.

However, to start with: Know your data and know your data classification. There is a good chance that there are data sets, you want to give access only to users on machines you manage.

Roger

What’s hot on Infosecurity Magazine?