Until recently, many enterprise IT organizations prohibited the use of personal hand-held devices in the enterprise environment. With the consumerization of IT, it faced the daunting challenge of enabling employees’ desire to access corporate information using an array of personal hand-held devices. Ten years ago, employees came to work to use great technology. Now, with the battery of consumer devices available, they often have better PCs and printers at home than they do at work. Because user expectations and needs have also changed, enterprise must adapt.
In the enterprise, a highly mobile workforce wants to take advantage of the most up-to-date systems, services and capabilities to do their jobs, typically using hand-held devices as companion devices to extend the usefulness of their corporate-owned mobile business PCs. This allows them to access information easily from home or on the road. For example, many users want to synchronize their corporate calendars with a third-party Web-based calendar utility so they can use their personal devices to access their work calendars from anywhere. They are motivated to get their jobs done in a manner that is easy, efficient and most productive.
Employees often don’t consider the information security issues raised by such a practice; however, information security is critically important for IT. Analysis of any policy prohibiting all personal devices shows that enforcing the policy would consume extraordinary resources in software and support and would negatively impacted users’ productivity.
Such an approach would require IT to verify every application before allowing a user to install it, which alone would take away much flexibility from the corporate user base. It would also need to significantly modify corporate culture and user expectations, deploy new lab networks and install large amounts of new hardware and networking equipment. That kind of control is just not possible or productive.
Solutions Must Balance User Demand and Information Security
With each new generation of technology, IT must develop ways to help keep information secure. The challenge is to develop a policy that maximizes both user demand and information security to the greatest extent possible. With safeguards in place to protect information and intellectual property, employees are allowed to select the tools that suit their personal work styles and facilitate their job duties, improving employee productivity and job satisfaction. Since the use of personal devices is accelerating, policy needs to change to accommodate it. The best option embraces the consumerization of IT, recognizing that the trend offers significant potential benefits to both users and to IT:
- Increased productivity. Users can choose devices that fit their work styles and personal preferences, resulting in increased productivity and flexibility.
- Greater manageability. By offering a program that users can adopt, IT is aware of what they are doing and can offer services that influence their behavior. This provides a clear understanding of our risk level so IT can actively manage it.
- Enhanced business continuity. If a user’s mobile business PC is nonfunctional, a personal hand-held device provides at least a partial backup, enabling the user to continue to work productively.
- Loss prevention. Internal data indicates that users tend to take better care of their own belongings and tend to lose personal devices less frequently than corporate-owned devices, which actually enhances information security.
- Greater security. Rather than ignore the consumerization of IT, IT can increase information security by taking control of the trend and guiding it.
By taking control of the trend and the technology in its environment, IT is able to circumvent many of the security issues that might have occurred if it simply ignores the issue or prohibits employees from using their own devices to accomplish some of their job duties.
Addressing the Unique Security Challenges of This Workplace Trend
Recognizing the potential benefits of the consumerization of IT to both employees and to IT, the best step is to identify the unique security challenges of this workplace trend, investigate user behavior and define the requirements of an IT consumerization policy. That policy must support users’ needs for mobility and flexibility by allowing personally owned hand-held devices in the enterprise and allowing other personally owned devices in the future.
It is relatively easy to verify and enforce which applications are running on corporate-owned hand-held devices. With personal devices, this process is not so straightforward because employees have the right to install any applications they choose. However, we have identified certain minimum-security specifications for hand-held devices that provide a level of information security that allows IT to test, control, update, disconnect, remote wipe and enforce policy:
- Two-factor authentication required to push email
- Secure storage using encryption
- Security policy setting and restrictions
- Secure information transmittal to and from the enterprise
- Remote wipe capability
- Some firewall and intrusion detection
- System (IDS) capabilities on the server side of the connection
- Patch management and enforcement software for security rules
- The ability to check for viruses from the server side of the connection, although the device itself may not have antivirus software
In the case of antivirus software, we analyzed virus attacks on mobile devices and found that very few targeted corporate information; most either sent text messages or attacked the user’s phone book. Although we expect malware incidents to increase over time, the current threat level to actual corporate information is low.
Mobile Business: PCs or Thin Clients?
We have not found that the thin client computing model, which centrally stores information and allows access to that information only from specific devices, is a foolproof way to protect corporate information.
Although thin clients are appropriate for certain limited applications, in general we feel they limit user mobility, productivity and creativity. Also, many of the perceived security enhancements associated with thin clients need to be viewed with caution. In fact, many of the information security risks merely moved; they didn’t disappear. For example, thin clients usually don’t include the same level of information security protection as mobile business PCs, yet they can still connect to the Internet and export information, putting that information at risk. Therefore, the loss of productivity that comes with using thin clients is for little or no gain.
One of the biggest technical challenges to implementing our policy involved firewall authentication. With IT-managed systems, authentication uses two factors: something you know (a password) and something you have (a registered mobile business PC). But when the device is unknown, you are left with only one authentication criterion.
Therefore, one of the interesting challenges of allowing personal devices in the enterprise is using information on the device to authenticate to the network, without that information belonging to the user. If the employee owns the piece of information used to authenticate to the network, IT would have no grounds for disciplinary action if the user were to choose to move his or her data to a different device to get access to the network. For example, the International Mobile Equipment Identity (MEI) number on a mobile device belongs to the user if the user owns the hardware, so that IT cannot use that to authenticate the device.
To address this issue, IT can send a text message to a predefined phone number, and that text message becomes the user’s password. In this scenario, the phone number is the must-have authentication factor, and the text message is the must-know authentication factor.
Device management also poses challenges, because one solution doesn’t fit all devices and applications. You should design your device management policy with the expectation that a device will be lost or stolen. Therefore, you can expect it to be able to protect itself in a hostile attack. This means that the device is encrypted, can self-wipe with a number of wrong password attempts, and we can remotely wipe the device. Your personal device policy should require users to have controls in place prior to any loss.
Also, some services need greater levels of security than others. For example, the system for booking a conference room doesn’t need the high level of security required by the sales database. Therefore, the room booking system can reside on a device over which we have less management control. You can develop a tiered management system.
The consumerization of IT is a significant workplace trend IT has been actively anticipating for years. You need to establish a comprehensive information security policy, train users and service desk personnel and develop technical solutions that meet your information security requirements. These accomplishments will enable IT to take advantage of the benefits of IT consumerization, without putting our corporate data at risk.
To successfully accommodate employees’ desire to use personal devices in the enterprise, it is important to proactively anticipate the trend — not ignore it or lose control of the environment by simply doing nothing. Success also hinges on an even-handed approach to developing policy, where each instance of personal device usage is treated consistently; it would be difficult to take action if one employee did something if that thing was common practice.
Highly mobile users can use either their own device or a corporate-owned hand-held device as a companion to their mobile business PC. Because employees with similar responsibilities have different preferences, allowing them to use the hand-held devices that best suit their work styles increases productivity and job satisfaction.
For more information on Intel IT best practices, visit Intel.com/IT