Search

Focus On

Best Practice

Impacts of IT Consumerization on Business Security

Over the last few years, consumer devices entered the workplace. IT discovered whole new challenges and opportunities but, today comes the second wave in Consumerization of IT, the Shadow IT.

FOCUS ON: Security, Cloud,

Consumerization is happening in many different ways. The first is the use of consumer websites and services to get work done. Hotmail, Linked-In, Twitter and other web tools all fall under this category. The other is a move toward employee-owned hardwar​​e, such as smartphones and laptops. Smartphones were the most commonly cited employee- owned/managed device that had made it into business workflows. There are several factors driving this. Productivity demands on employees have increased over the last decade, partly due to layoffs and downsizing. There is a growing expectation for employees to deliver anytime, anyplace. While businesses push for increased productivity, they may not be able to justify investments in best-of-breed productivity tools such as smartphones for employees. Many employees already have the smartphones and laptops needed to meet business demands at home and they want to integrate them with their work life. Mounting pressure from both employee and corporation has pushed businesses to consumerize.

ADOPTING THIS NEW MODEL MEANS MOVING SECURITY TO BECOME CONSULTANTS FOR BUSINESS AND PROVIDING THE SECURITY CAPABILITIES AS A SERVICE.


Which are the security issues? How can we assure the appropriate security posture?

Context-Aware Security

It is mandatory support user’s freedom to move on Consumerization Era while keeping information protection, in this scenario security is even more important to ensure that adequate security processes and controls are in place to protect sensitive information and applications when accessing corporate IT assets from consumer devices and apps.

Legal Issues

If the company doesn’t own the device, there are open questions around compliance and audit.

  • E-DISCOVERY: How to examine and possibly judge an employee-owned device in the case of legal proceedings considering the concern of inadvertently retrieving personal data, maybe sensitive and clearly not company owned.
  • SECURITY AND CONTROL OF DATA: While for corporate-owned devices configurations can be set and enforced, security software installed and software updates monitored; for employee-owned devices it is more difficult to guarantee common configurations and allowing some amount of corporate control over data along with the ability to remotely wipe the phone.
  • LAWS AND REGULATORY REQUIREMENTS: Data protection, employees’ rights, capital market regulations (such as SOX), specific industry related requirements, etc. should be assessed against the new perimeter imposed by Consumerization. Companies must develop and enforce codes of conduct regarding the use of various software and services to limit corporate liability.

​Reply has developed a proprietary and dedicated​ framework to allow enterprises to manage the IT Consumerization phenomena assuring an adequate security posture.


MONITOR & IDENTIF​Y

Build awareness about shadow IT and BYO* identifying and monitoring its presence and usage.

  • Identify the usage or the needs to use new BYO* or to recur to shadow IT
  • Monitor the usage of managed BYO* and other managed IT solutions

​EVALUATE

Evaluate the needs, the use and the risks. Identify and evaluate possible solutions.

  • Evaluate the needs related to new identified BYO-Everything/Services and misuses about managed BYO-Everything/Services in terms of Risks (compliance, security, etc.) and Business benefits.
  • Identify possible solutions among: Accept or Deny (Policies & Technology), clone internal solution and control and Regulate the existing (Policies & Technology).
  • Evaluate the possible solutions.

OPERATE

Let the new solution or the regulated one be used and enforce security through the tools and solutions identified in the previous step.

MANAGE & SECURE

Implement the selected solution and setup the needed organizational, training awareness activities.

  • Implement the selected solution in terms of: technology to clone and/or control and regulate the us​age of the BYO* and organizational activities to define and formalize roles and rules (Policies, Procedures, etc.).
  • Training and awareness initiatives to assure the knowledge of the existence of a new BYO* and the related usage rules.
  • Assure synergies among Security and other departments (e.g. IT, Marketing, Innovation, etc.).