Gartner Says the Consumerization of IT is a Major Threat to Enterprise Security

June 15, 2007; 05:34 AM
One of the most-significant threats to enterprise security is the consumerization of IT, and as more consumer technologies enter the enterprise, security managers must prepare for, and manage, the security risks, according to Gartner, Inc. Employees expect to use more of their personal equipment and services at work, and enterprises are simultaneously adopting more consumer technologies in business operations.

“Although consumer technologies create new risks for the enterprise, eliminating their use is increasingly difficult, and impractical,” said Rich Mogull, research vice president for Gartner. “By taking security precautions and investing in foundational security technologies now, enterprises can prepare themselves for increasing use of consumer devices, services and networks with their organization, and manage these risks.”

The entrance of consumer technologies in the enterprise challenges traditional security models, but, although they may lack maturity and come at a high price, the tools exist to manage the risks of consumerization. Many of these, such as network access control (NAC) or CMF/DLP, are being adopted by enterprises to manage other threats and can be configured for consumerization threats. And while in some cases it may be too early or costly to invest in these less-mature tools, enterprises can start with policies and procedures, and use these to help guide future technology deployments.

Gartner has identified four issues that IT managers must prepare for to secure their organization as consumer technologies penetrate the workplace. They include:

Preparing for Consumer E-Mail and Communications Services

Consumer e-mail, instant messaging (IM), voice over IP (VoIP) and other communications services are becoming intrinsically tied to people’s online personalities. Today, most employees use private e-mail services, such as Gmail, Yahoo, AOL or Hotmail, often from work, and often as a way to exchange work materials with their PCs at home. IM also continues to rise in popularity, and usage may actually exceed e-mail usage with younger generations. New services and technologies, such as Skype, video chat and collaborative workspaces, are becoming more common, even among less-technical employees.

“Most organizations will find themselves unable to completely block these services, for cultural, if not technical reasons, but security options are available to limit the risks that consumer communications services create,” said Mr. Mogull. “Enterprises can look at a vector for malicious software or violations of corporate communications policies. Current acceptable use policies often do not cover these areas, and traditional e-mail security or firewalls and URL filtering do not deal with them effectively.”

Preparing for Blogs, Social Networks and Other Web 2.0 Services

In addition to communications, there is a growing use of blogs, social networks and other Web 2.0 services, both in and out of the workplace. Some of these services create a risk of information leaks, while others offer potential new channels for malicious software. Gartner recommends that enterprises take the following precautions to limit the risks of both threats:

• Define clear policies about what is allowed, and not allowed, with regard to these services. Pay particular attention to blogging and what the enterprise is comfortable allowing employees to discuss. Company intellectual property and company operational information should be restricted from blogs.
• Deploy Web security gateway and configure it to block malicious inbound traffic. Make sure the product can detect and block JavaScript exploits.
• Configure the Web security gateway to block any services (such as social networking) unapproved for use in the workplace.
• Configure your CMF/DLP solution to monitor and enforce policies on HTTP traffic. CMF/DLP is not restricted to communications channels, and it can monitor and block release of sensitive content over many network protocols, including HTTP and peer-to-peer (P2P).

Preparing for Unmanaged Mobile Devices

While full smartphones tends to be limited to business professionals and technology enthusiasts, new media-centric devices are expected to rise in general popularity. Aside from large amounts of storage, these devices can run increasingly robust applications, and they are a target for malicious code. Future employees may expect to use these devices with, or in lieu of, corporate managed systems.

Enterprises can take precautions today to limit the risks of these devices without resorting to an unenforceable outright ban. Some options include:

• Deploying a portable device-control solution to restrict the ability for unapproved devices/storage to connect to managed workstations and laptops.
• Deploy a secure sockets layer (SSL) virtual private network (VPN) to enable thin client remote access to enterprise systems and information.
• All approved mobile devices with access to sensitive data should be encrypted in case of loss.

Managing Networks and Remote Connectivity

As both broadband penetration and use of wireless networks increase, employees are connecting to enterprise resources through both unmanaged networks and unmanaged remote devices. Allowing employees to work remotely or from home on their own systems can increase productivity, but it does bring some security risk.

Enterprises should protect themselves by implementing some of these actions:

• Deploy an SSL VPN on-demand security features. Configure to restrict access based on a health check and the security of the endpoint.
• Reduce use of thick client VPNs. If full VPN access is needed, select one with NAC support to reduce the possibility of unmanaged systems using the VPN client software and/or connection.

Additional information can be found in the report “Gmail, iPhones and Wiis: Preparing Enterprise Security for the Consumerization of IT which can be found on Gartner’s Web site at

www.gartner.com/DisplayDocument?ref=g_search&id=503272&subref= simplesearch.

(Due to its length, this URL may need to be copied/pasted into your Internet browser's address field. Remove the extra space if one exists.)

This research note is part of a Gartner Special Report on the consumerization of IT, which includes 20 research notes examining how consumerization is a catalyst for the growing conflict between the “traditional” enterprise IT function, which has historically maintained sole authority over enterprise IT architecture, and the growing desire and ability of individual employees to increasingly influence their use of IT. The Gartner Special Report “Consumerization Gains Momentum: The IT Civil War” can be accessed on Gartner’s Web site at www.gartner.com/it/products/research/consumerization_it/ consumerization.jsp.

(Due to its length, this URL may need to be copied/pasted into your Internet browser's address field. Remove the extra space if one exists.)

About Gartner

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,800 associates, including 1,200 research analysts and consultants in 75 countries. For more information, visit www.gartner.com.