Applying Security Controls in a Consumerized IT Age
When enterprises trade their IT policies for convenience and employees' productivity.
Today, consumerization - the idea that corporations are under pressure from their employees to allow them to work on their ever cooler devices - is dislodging, from enterprise computing, IT governance approaches aimed at locking-down hardware, operating systems and software. Employees want to configure their consumer devices just the way they like. Using the same devices - trendier than those currently issued by IT departments - they want to gain remote access to corporate IT, answer the last emails received from colleagues and schedule the next business meetings.
In this age of consumerized IT, enterprises face the inescapable tension that exists between mitigating the impact that a loosened control over the IT environment might have on the corporate security posture, and granting to their employees whatever device they need (or prefer) to get the job done, wherever they happen to be.
A number of security measure and policies exist to help managers in approaching this security trade-offs and handling the security concerns associated with consumer-grade gear, such as the loss of data if a device is lost or stolen or the exposure of sensitive corporate information over unencrypted communications.
In order to keep the corporate information safe, it is important to acknowledge how, in the consumer market, an increasing number of mobile and tablet devices are starting to provide the features needed to make them safer for business needs. Features include: encryption of data at rest (such as emails and their attachments), remote wiping and inventorying, VPNs capabilities, and password management.
Companies may be better off realizing that the pressure by their employees will only increase, giving them, among the trendier and most appealing consumer devices, those with the security features that best meet the business needs, and working at putting helpful security policies in place. Sensible policies range from encrypting e-mail sessions and store messages and their attachments encrypted, to synchronizing sensitive information with an enterprise data store, to automatically wipe the devices after a maximum number of login attempts, lock them automatically if they have been idle longer than a desired time period, and encrypt remote access session to the enterprise IT.