Why the consumerisation of IT is fuelling security fears

Research just released shows that almost two-thirds of IT professionals are concerned about security issues associated with the use of personal devices in the workplace and highlights the fact that data in the digital age has become as portable as the devices it is stored on.

This major study highlights the fact that almost 90 per cent of employees use their own laptops, tablet computers and mobile phones for work-related tasks, it’s clear that companies now need to keep track of their data as never before.

I’ve been monitoring this issue for a number of years and it’s undoubtedly getting worse from a security perspective. Mobile devices offer very tempting productivity gains: it’s natural for employees to want take files out of central data stores, work on them, and then move them back into the organization, but this extends and exacerbates the common vulnerabilities that are still big problems on the core collaboration infrastructure.

Employees usually have too much access to file shares, SharePoint, Exchange mailboxes and public folders, and can freely download data to their workstations without any record. With the expanding memory on tablets and smartphones (16 and 32 gigabytes is fast becoming standard) – It’s easy to take more data further outside the core, where there are even fewer controls.

In order to collaborate securely on the core infrastructure, organizations need to know which data is active, who is using it, who has access to it, and which is sensitive. This is data governance 101 material, but it’s an area that is often missed by hard-pressed IT security managers – until something goes wrong. If the core isn’t well managed and protected, collaboration with mobile devices will be even harder to control.

The risk associated with the portability of data can be dramatically minimized by ensuring that access to sensitive data is limited long before it makes it onto any of today’s portable devices.

Organizations have been challenged to do this in the past because many fundamental controls, like access auditing and metadata analysis have been missing, and the manual processes to limit access to data have often relied on IT personnel to make access control decisions instead of data owners.

Unaudited, overly permissive access naturally allows personnel to move accessible data onto all the devices they use to complete their work/digitally collaborate.

Whilst the prospect of seeing their company data floating about on employee’s portable devices is bad enough to give the average IT security manager a headache, the real migraines start when you realise the immense volumes of data that are produced – and added to – every single day in the typical business environment.

With today’s large mobile drives and gigabit Ethernet, major swathes of company data can be transferred in a relatively short space of time. And that data then simply walks out of the door on the member of staff’s laptop or tablet computer.

This research, which was conducted by Dell Kace, took in the responses of 750 key IT security professionals and shows that they are worried about the rise of what some people are calling the consumerisation of IT in the workplace. The conclusions of this report should also act as a wake-up call to IT security professionals about what is happening to their organisation’s data in the modern world.

David Gibson has been in the IT industry for more than 15 years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Technical Services at Varonis Systems where he oversees product marketing and positioning. As a former a technical consultant, David has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems. He is a Certified Information Systems Security Professional (CISSP).

  • I agree with the issues raised by the article and would
    stress 2 further points:

    1) One of the drivers mentioned by many companies for
    promoting the consumerisation of IT is that they believe that because the user
    owns the device, this limits the responsibility for due care of that device and
    its use by the company. This is a dangerous point of view and promotes some of
    the vulnerabilities mentioned in the research.

    2) Many new devices by their very nature aren’t suitable
    as corporate devices, such tablets. The application centric approach to their
    operating systems means that it is difficult (not possible?) to build security
    as a service to control that end point.