Alexei Lesnykh, DeviceLock: The Impact of the Consumerization of IT on IT Security Management
March 2009 by Marc Jacob
The age of consumerization of IT, defined as the blurring of lines between corporate IT and consumer technology, is well and truly upon us. Driven by the proliferation of consumer technology such as PDAs, MP3 players and Smartphones, we have seen increasing adoption of consumer technology in the corporate environment. Thanks to the growth of endpoint device capabilities and the corresponding changes in security threat profiles, this new era has significant ramifications for the management and enforcement of corporate IT.
Personal mobile devices have already been proven to increase productivity. According to a Osterman Research, 15 per cent of the corporate workforce used employee-supplied mobile devices in 2007, and a survey from TechTarget forecasts that this figure will exceed 25 per cent in 2008.
From an IT security perspective, the task of managing ‘rogue’ or disgruntled employees in a consumobilized enterprise will become a real art – especially as a high degree of co-operative behavior and self-discipline will be expected and required from all employees including those who are discontented, malicious, negligent, or forgetful. The same technology advancements and social trends that drive consumerization will also cause a sharp increase in information security risks, based on the development of ‘production quality’ mobile malware, and the growth of corporate data leakage from and through employees’ mobile devices. The typical size of a mobile device’s removable flash memory (currently 4 - 8GB) is already sufficient for storing and running a standard Operating System. The threat of corporate data leakage through personal mobile devices is unavoidable and immediate. Unavoidable because certain features of human nature will not change: since there is no ultimate cure for accidental errors, negligence or malicious intent, mobile devices will continue to be lost and stolen. Immediate because nothing new is required for exercising the threat and it is happening right now.
So what is the scale of this threat, in these early stages of IT consumerization? In-Stat has estimated that in the US over eight million mobile devices went missing in 2007; and for Smartphone users, the people with the most access to sensitive information, the probability of loosing a device was 40 per cent higher. According to the 2007 CSI Computer Crime and Security Survey, seven per cent of total financial losses incurred by US corporations from IT security incidents were related to the loss of proprietary or confidential data resulting from mobile device theft. Projecting these figures onto the latest predictions on mobile device market growth made by Tim Bajarin, President of Creative Strategies, one can anticipate an alarming figure of about five and 14 million Smartphones being lost in 2008 and 2010 respectively.
This will equate to about 14 per cent of the total financial losses caused by attacks on corporate IT resources in 2008, rising to 21 per cent in 2010.
Developing the solution
So what should the security industry be doing to address the mobile security threats brought about by IT consumerisation? The key part of the architecture for preventing data leakage needs to be local sync parsing. The local sync data leakage prevention architecture should be built as a stack of integrated security mechanisms including bottom-up endpoint device/port control, local sync application parsing, file type filtering, and content-based filtering technologies. In addition, a central policy-based management console integrated with a major systems management platform, comprehensive centralized logging, reporting and evidence enablement components need to be put in place. Every layer of the architecture controls those parameters of a local connection it is designed to deal with by blocking or filtering prohibited elements out, and detecting and marking the types of objects to be controlled by a higher-layer architecture component to which the classified data flow is then passed for further processing.
The device/port control component of the architecture is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port type, device type and ideally the device model and its unique ID. The output can then be passed to the local sync parsing component, which parses the sync traffic, detects its objects (e.g. files, pictures, calendars, emails, tasks, notes, etc.) filters out those prohibited, and passes allowed data up to the file type filter. The file type filtering component checks the input flow, deletes those files not allowed, and filters information data to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.
The security threat brought about by the consumerization of IT and the consequent mobilization of the workforce is real and upon us. Organizations need to take immediate steps to ensure that they address this threat before it gets out of control and the infosecurity market needs to continue to develop solutions to mitigate the unavoidable risk brought about by the growth of consumer technology in the corporate environment.