Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

iPhone Smackdown: Security vs. Consumerization

It's time to accept the fact that our consumer and business technology worlds are converging

Prepare yourselves for July 11, the day on which a quake will reverberate throughout the IT world, as the all-powerful iPhone descends upon us. Sure, we've had that pesky little device floating around for a year now, but on that day, the price crashes down in a maelstrom of affordability.

What – you don't support the iPhone? Not even with Exchange? Have fun explaining that to your CEO after he realizes that nifty new Major League Baseball application keeps him completely updated on the latest game stats while he sits on his executive toilet.

OK, so I can sling the hyperbole as well as any PR agent, but the truth is the iPhone is representative of one of the most disruptive trends hitting security today – the consumerization of IT. It's not the sexiest term out there, but the consumerization of IT just happens to be one of those pesky disruptive innovations that blows holes through existing security models. I won't use silly terms like "paradigm shift," but clearly how we use and manage IT assets will change, and with that change comes security challenges.

Until relatively recently we drew fairly strict lines between work and personal technology. Work provided, and completely managed, any and all IT assets we needed to get the job done. Our PC (or, occasionally, Mac) was provided by our employer, managed by our employer, and we used said assets (supposedly) while complying with corporate policies. And it isn't just our computers: Many companies still provide and manage cellphones, PDAs, and any other technology we need. While at work, we're restricted from large swaths of the Internet, including personal email, instant messaging, or pesky distractions like news sites, MySpace, or videos of singing cats (the hamster dance of the new millennium). To this day, I have friends who can't send personal emails from work, and have to carry separate work and personal cellphones. All of these assets are strictly locked down in the name of security. Don't even think of installing a new application on your desktop without running it through IT.

Now not all workplaces are so extreme, and there are still plenty of environments where a high degree of control and management really are the best approach. Why? Because people are idiots (present company included), and we download malware, accidentally email customer lists to our uncle in some former Soviet Republic, delete *.*, and would blow the entire work day browsing porn or playing World of Warcraft if so given the opportunity.

We're starting to see those lines between work and home technology degrade at a rapid pace. A generation is entering the workforce that sees cellphones as a hybrid fashion accessory and essential communications device. Cutting them off from SMS is like removing an eye. Right behind them is a generation that feels the same way about IM, social networking sites, and blogging. Want someone with a college education? You're pretty much guaranteed they'll walk in the door not only with a Mac, but with loads of software they've come to rely upon to be productive. Think it's limited to the kids? Last week I was at a conference and a group of us whipped out our cellphones to check schedules – four out of five were iPhones. The odds are very high some senior executives will be asking you to support their new toy before the summer is out.

That's the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we're watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology – work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it's not like the call center will be running off their own laptops, but they'll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals.

This is far from the end of the world. While we need to change some of our approaches, we're gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks:

1. Provide supported paths. Rather than saying “no” and motivating the employee to blow past policy, instead provide a safe, accepted path for the technology. Let them buy their iPhones, Windows Mobile, or other devices, but require them to use ActiveSync and enforce a PIN code. Let them bring their Macs to work, just make them run a copy of Parallels or VMWare and run the corporate Windows image. Give them a safe option, rather than no option, and they are likely to play along.

2. Use intelligent monitoring and blocking. Tools like DLP can block Web transactions based on content, rather than just destination. Let them blog – until they blog about work. Let them waste time on ESPN – until they've wasted too much time. Let them use IM and send personal emails from work, but warn them that they'll be monitored and you'll block policy violations. Let them use Web services for productivity, until they try and send sensitive corporate info up.

3. Virtualization is your friend. Some companies are starting to experiment with issuing virtual machines to employees that want to use their own PCs or Macs. The virtual machine is locked down, and the employee still gets to use all the other productivity tools they want.

These move us from a posture of "no" to a posture of "yes, but..." We allow employees to use their consumer technologies and services, but in a safe and secure manner. Does this apply to everyone? No, there are still some environments far too critical to open up very far, but there are fewer of them than you think. Can we completely open up today? Not a chance, but unlike the latest malware we have years to prepare ourselves and slowly loosen up as we implement new, different security controls.

Besides, don't you want to use your iPhone or Android phone at work? Yeah, that's what I thought.

— Rich Mogull is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18885
PUBLISHED: 2019-11-14
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.
CVE-2019-18895
PUBLISHED: 2019-11-14
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file.
CVE-2019-18957
PUBLISHED: 2019-11-14
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.