Five Ways To Secure The Consumer IT Invasion At Work

Companies are increasingly seeing an influx of employee-owned mobile devices on their networks, a trend that will likely accelerate during the coming holiday season.

The influx of personal devices into the workplace -- more formally known as the consumerization of IT -- offers solid gains to companies in terms of productivity and allowing workers to be more flexible in how they do their jobs. The downside is that workers' devices can carry with them security threats and expose the business network to compromise.

Companies need to better deal with the security impact of employee-owned devices because the benefits are too great to dismiss, says Sanjay Beri, vice president of Juniper's security and Pulse businesses.

"This is something that every company is dealing with," Beri says. "Companies should embrace it. It is definitely the right thing to do to empower your employees."

The landscape has changed in the past year, as well. In 2010, the majority of new devices were Apple products -- iPhones and iPads -- but this year companies also need to be prepared for Android devices, a much more complex ecosystem than the stringently controlled Apple platform, says Ojas Rege, vice president of products for MobileIron.

"Companies have to get themselves educated on Android," he says.

Here's what you can do now to protect your network from the coming wave of employee-owned mobile devices:

1. Don't ban devices.
In the past, many companies have balked at providing access to their networks to consumer-owned devices. Yet the productivity gains from such technology are significant, according to a recent report commissioned by IT infrastructure firm Citrix.

The survey found that businesses are seeing productivity gains of up to 36 percent from employees who use both corporate and personal devices for work. Because of the increased productivity, a third of businesses are pushing their IT teams to allow more flexible workplace practices, including allowing consumer devices to connect to corporate resources.

"Most companies see how good these things can be for their business, so they are backing away from the knee-jerk reaction of locking out personal-owned devices," says Elizabeth Cholawsky, vice president of IT services for Citrix.

2. Find what's connecting to the network.
The first step for most firms needs to be identifying the scope of the threat by monitoring which devices are connecting to the network, says MobileIron's Rege. Device management software, historically used to manage corporation-owned devices, has a wide variety of features to set policies on devices and ensure that users are abiding by the policies.

"Companies need to have full visibility into what's connecting," he says. "When a device first comes in, they need to make sure that they can identify it and monitor it."

Most mobile device management software firms, such as MobileIron, require that devices connecting to the corporate network run their clients to help manage the security of the device.

3. Conscript network-analysis tools to identify threats.
Many companies already have technologies that can manage the threat of mobile devices and other consumer-owned technology that enter the network. Network-performance monitoring systems detect anomalous activity that could be a sign of a breach or an untrusted device attempting to expand its foothold in the network, says Steve Shalita, vice president of marketing at NetScout Systems, which makes service management products to optimize networks.

"Performance issues can often be security issues," Shalita says. "Looking for cyberthreats, which impact the network, are something that these systems already do."

Such systems can push anomaly information to security information management systems, which can help the information cross the common divide between IT management and IT security.

4. Push policy to devices.
One benefit of personal devices that run corporate device management clients is that the business can help set appropriate policies for sensitive data, Juniper's Beri says. Based on the identify of the user and the status of the phone, the company can take action.

"You can let them on the network based on who they are, as well as the status of their device -- such as whether the device is jailbroken or running a rogue app," he says.

Many companies take a "block all" policy, allowing only devices that can be identified or go through a vetting process. Others take an "allow all" policy, putting the devices on a virtual network separated from corporate resources unless they devices are authorized.

5. Establish privacy policies.
While improving the security of employee-owned IT, companies have to make sure they are also protecting their workers' privacy. Running mobile device management software on phones and tablets can reveal a lot of information about individuals if not limited by corporate policy.

"It is the right time for organizations to put their first draft of a privacy policy in place for these devices," Rege says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.