How to Secure Consumer Devices in the Enterprise

Disruptive IT Trends4 minutes readSep 22nd, 2010

Can you imagine a day at work without your state-of-the-art business enabler, be it the BlackBerry Bold, iPhone 4, Android, or another mobile device? For most people I know, it’s a difficult situation to envision. When I don’t have my Blackberry Storm at my fingertips, I can’t get my work done as fast. Any reader of this blog knows that consumer devices and technologies are permeating enterprises like never before, attributed to the widespread availability of smart mobile devices with advanced computing capabilities.

Today’s information workers rely on their intelligent mobile devices 24/7 to efficiently manage their personal and professional lives. While consumerization of IT is likely to be the century’s greatest enabler, at the same time it provides a formidable challenge to the CIO: Provide policies and governance that enable the use of these productivity tools while keeping data secure. If we do not rethink traditional tenets of enterprise security given the wave of consumer technologies hitting workplace, then more nimble, aggressive competitors will leverage these technologies to profit at the expense of those who do not.

The IT world is steadily realizing that an evolution of security and threat landscapes is underway. As an industry, we must understand and drive significant change to our legacy IT policies to address both user productivity and enterprise security. Enter Network Access Control (NAC). NAC allows a user device to connect to the enterprise computer network only if it complies with certain pre-established standards.

These standards can range from network security enforcement, system authentication, anti-virus protection, and host-intrusion prevention, to system update level and configuration, to name a few. NAC policies are beneficial to the enterprise because they define where the user or device can go within the enterprise network and what they can access. There are a number of very innovative NAC solutions, ranging from Microsoft and Network Access Protocols (NAP), to sophisticated technologies from companies such as Bradford Networks.

When it comes to securing consumer devices, an area that the IT industry is keenly exploring is Intel vPro technology and the Dynamic Virtual Client (DVC). DVC is garnering the attention of the industry because it enables diversity in computing models, addressing the needs of the knowledge worker while at the same time retaining control features. The IT department has better control of enterprise data, and the knowledge worker has access to applications and information — anytime, anywhere, from any device.

Traditional IT security has always been about the perimeter, accomplished by building a security boundary around the end points of your IT infrastructure to protect against threats. Businesses have evolved because of the onset of outsourcing and globalization. When an enterprise has several thousands of employees who are remotely located out of virtual offices and use their own devices for work, is the perimeter approach to security the most effective and efficient?

I’m frequently asked if a new approach to security means giving up the traditional network-level firewalls and security devices. The answer is no. The Jericho Forum proposes that security at the enterprise boundary or network is not enough. The concept of de-perimeterization is that security should be closer to the data and applications to protect enterprise resources from data-level attacks.

The need of the hour is security in a decentralized and distributed network through micro-perimeterization. Micro-perimeterization means having a high level of security around data that is most valuable to the organization. It is relatively easy to classify data into critical versus non-critical. So, thinking differently about our needs within a changing landscape is crucial to the long-term competitiveness of our respective organizations.

Any approach the CIO takes to securing the enterprise should not end in just managing devices or the network. The data is the ultimate determinant. The story is no longer about the CIO, but the individual end users. Here are a couple of questions for you to ponder: Is end-point security being consumerized? Is this the end of the OEM lock-down model?

Keen to hear your thoughts on consumerization of IT here or on Twitter.