Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


iPhone Smackdown: Security vs. Consumerization

It's time to accept the fact that our consumer and business technology worlds are converging

Prepare yourselves for July 11, the day on which a quake will reverberate throughout the IT world, as the all-powerful iPhone descends upon us. Sure, we've had that pesky little device floating around for a year now, but on that day, the price crashes down in a maelstrom of affordability.

What – you don't support the iPhone? Not even with Exchange? Have fun explaining that to your CEO after he realizes that nifty new Major League Baseball application keeps him completely updated on the latest game stats while he sits on his executive toilet.

OK, so I can sling the hyperbole as well as any PR agent, but the truth is the iPhone is representative of one of the most disruptive trends hitting security today – the consumerization of IT. It's not the sexiest term out there, but the consumerization of IT just happens to be one of those pesky disruptive innovations that blows holes through existing security models. I won't use silly terms like "paradigm shift," but clearly how we use and manage IT assets will change, and with that change comes security challenges.

Until relatively recently we drew fairly strict lines between work and personal technology. Work provided, and completely managed, any and all IT assets we needed to get the job done. Our PC (or, occasionally, Mac) was provided by our employer, managed by our employer, and we used said assets (supposedly) while complying with corporate policies. And it isn't just our computers: Many companies still provide and manage cellphones, PDAs, and any other technology we need. While at work, we're restricted from large swaths of the Internet, including personal email, instant messaging, or pesky distractions like news sites, MySpace, or videos of singing cats (the hamster dance of the new millennium). To this day, I have friends who can't send personal emails from work, and have to carry separate work and personal cellphones. All of these assets are strictly locked down in the name of security. Don't even think of installing a new application on your desktop without running it through IT.

Now not all workplaces are so extreme, and there are still plenty of environments where a high degree of control and management really are the best approach. Why? Because people are idiots (present company included), and we download malware, accidentally email customer lists to our uncle in some former Soviet Republic, delete *.*, and would blow the entire work day browsing porn or playing World of Warcraft if so given the opportunity.

We're starting to see those lines between work and home technology degrade at a rapid pace. A generation is entering the workforce that sees cellphones as a hybrid fashion accessory and essential communications device. Cutting them off from SMS is like removing an eye. Right behind them is a generation that feels the same way about IM, social networking sites, and blogging. Want someone with a college education? You're pretty much guaranteed they'll walk in the door not only with a Mac, but with loads of software they've come to rely upon to be productive. Think it's limited to the kids? Last week I was at a conference and a group of us whipped out our cellphones to check schedules – four out of five were iPhones. The odds are very high some senior executives will be asking you to support their new toy before the summer is out.

That's the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we're watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology – work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it's not like the call center will be running off their own laptops, but they'll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals.

This is far from the end of the world. While we need to change some of our approaches, we're gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks:

1. Provide supported paths. Rather than saying “no” and motivating the employee to blow past policy, instead provide a safe, accepted path for the technology. Let them buy their iPhones, Windows Mobile, or other devices, but require them to use ActiveSync and enforce a PIN code. Let them bring their Macs to work, just make them run a copy of Parallels or VMWare and run the corporate Windows image. Give them a safe option, rather than no option, and they are likely to play along.

2. Use intelligent monitoring and blocking. Tools like DLP can block Web transactions based on content, rather than just destination. Let them blog – until they blog about work. Let them waste time on ESPN – until they've wasted too much time. Let them use IM and send personal emails from work, but warn them that they'll be monitored and you'll block policy violations. Let them use Web services for productivity, until they try and send sensitive corporate info up.

3. Virtualization is your friend. Some companies are starting to experiment with issuing virtual machines to employees that want to use their own PCs or Macs. The virtual machine is locked down, and the employee still gets to use all the other productivity tools they want.

These move us from a posture of "no" to a posture of "yes, but..." We allow employees to use their consumer technologies and services, but in a safe and secure manner. Does this apply to everyone? No, there are still some environments far too critical to open up very far, but there are fewer of them than you think. Can we completely open up today? Not a chance, but unlike the latest malware we have years to prepare ourselves and slowly loosen up as we implement new, different security controls.

Besides, don't you want to use your iPhone or Android phone at work? Yeah, that's what I thought.

— Rich Mogull is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.