Consumerisation hits security management

Blurring of the boundaries between consumer and corporate technology has created new security risks, notes Alexei Lesnykh

Lesnykh: Consumerisation creates challenges for IT management

The blurring of lines between corporate IT and consumer technology is well and truly upon us, driven by the proliferation of consumer technology such as PDAs, MP3 players and smartphones.

The growth of end point device capabilities and corresponding changes in security threat profiles, though, has ramifications for management and enforcement of corporate IT.

Personal mobile devices can raise productivity in the workplace. According to Osterman Research, about 15 per cent of the workforce used employee-supplied mobile devices in 2007.

A survey from TechTarget forecast this figure to exceed 25 per cent last year.

The task of managing rogue or disgruntled employees in an enterprise with plenty of consumer mobile devices will become a real art – especially as lots of co-operative behaviour and self-discipline will be required from all employees.

Technology advances and social trends that drive consumerisation will also increase information security risks, based on the development of production-quality mobile malware and rising corporate data leakage via employees' mobile devices.

The typical mobile device’s removable 4-8GB of flash memory is enough for storing and running a standard operating system.

The threat of corporate data leakage through personal mobile devices is unavoidable and immediate.

Certain features of human nature will not change. Since there is no ultimate cure for accidental errors, negligence or malicious intent, mobile devices will always be lost and stolen. This is happening right now.

In-Stat has estimated that in the US, eight million mobile devices went missing in 2007; and for smartphone users, the people with the most access to sensitive information, the probability of losing a device was 40 per cent higher.

According to the 2007 CSI Computer Crime and Security Survey, seven per cent of total financial losses incurred by US corporations from IT security incidents were related to the loss of proprietary or confidential data resulting from mobile device theft.

The key part of the architecture for preventing data leakage needs to be local sync parsing.

The local sync data leakage prevention architecture should be built as a stack of integrated security mechanisms including bottom-up end point device/port control, local sync application parsing, file type filtering, and content-based filtering technologies.

In addition, a central policy-based management console integrated with a major systems management platform, comprehensive centralised logging, reporting and evidence enablement components need to be put in place.

Every layer of the architecture controls those parameters of a local connection it is designed to deal with by blocking or filtering out prohibited elements, and detecting and marking the types of objects to be controlled by a higher-layer architecture component to which the classified data flow is then passed for further processing.

The device/port control component of the architecture is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port type, device type and ideally the device model and its unique ID.

The output can then be passed to the local sync parsing component, which parses the sync traffic, detects its objects (such as files, pictures, calendars, emails, tasks or notes), filters out those prohibited, and passes allowed data up to the file type filter.

The file type filtering component checks the input flow, deletes those files not allowed, and filters information data to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.

The security threat brought about by the consumerisation of IT and the consequent mobilisation of the workforce is real. Organisations need to ensure they address this threat before it escapes control.

Alexei Lesnykh is business development manager at DeviceLock