The Consumerisation of Enterprise IT Part 2: Information Security

With the ongoing consumerisation of Enterpise IT, increasingly users need to access corporate information systems from any device, anywhere.
Traditionally, IT has used heavy-handed techniques that involve locking the information down in one form or another. This is difficult – and in some cases not possible – with the consumerisation of IT. This introduces a problem for many companies: how do you protect your information if you don’t control the endpoint? While there is no ultimate solution, there are a number of ways that this can be achieved.

Written policy

Rather than control and restrict access to information with technical measures, an alternative is to control information access with company policy. For example, allowing users access to company email on their personal phones, but mandating that they are responsible for ensuring their phone is secure. It’s important to understand the criticality of the information that’s being accessed. If using policy based controls, you should log access to ensure you have a record of what is being accessed, when and by whom. If information is sensitive, regularly review logs and deal with exceptions.

Backups

With increasing use of Software as a Service (SaaS), company critical information can be stored in any location. No longer is all important company data stored in the datacentre. Company information can be stored in web applications like SalesForce and Highrise, tools like DropBox, on company laptops and on mobile devices.
Work out the impact of data loss for each of the applications your business uses. If the cost of losing the data exceeds the cost of protecting it, then protect it. While many of these services back up your data, ultimately you are responsible for protecting your own information. An SLA cannot restore data that has been lost, and cannot ensure the continuity of your business if you lose business-critical information. Where the data cannot be automatically protected, use a manual procedure.

The right security technology

Consumerising IT does not mean neglecting security. If third party devices are going to be introduced to a company network – whether wireless or wired – ensure that adequate protection measures are in place. Only allow untrusted devices onto untrusted network segments, and treat it like a DMZ. Use Network Access Control if you need extra security. Encrypt access to company information with SSL. Prevent key loggers from gaining logon credentials to your company systems by using two factor authentication.
Ultimately it is up to each business to decide on what level of information accessibility is appropriate. With the right measures in place, a balance between security and usability can be achieved.