2 Comments

Summary:

Employees love using their own devices to do corporate work, but the practice, known as consumerization, is rife with security risks. Speaking today at Mobilize, Cisco’s Tom Gillis said consumerization is causing a fundamental rearchitecture of how networks look that requires a reimagining of security solutions.

Cisco's Tom Gillis at Mobilize 2011

Cisco's Tom Gillis at Mobilize 2011Employees love using their own devices to do corporate work, but the practice, known as consumerization, is rife with security risks. Speaking with New York Times deputy tech editor Quentin Hardy today at Mobilize, Tom Gillis, VP and GM of the Security Technology Business Unit at Cisco, said consumerization is causing a fundamental rearchitecture of how networks look that requires a reimagining of security solutions.

The gist of the problem, by Gillis’s thinking, is that work has become something that we do rather than a place that we go. That means a firewall that simply allows access to data from internal sources while shutting out external sources is fast becoming an antiquated solution because there’s no definite beginning or end to the corporate network. Now, Gillis explained, traffic is coming from everywhere and on a variety of different devices, which means security products need to learn some new tricks.

Among the highest-priority new capabilities might be wrapping corporate data in security protocols that safeguard in dynamic manners beyond what traditional firewalls do. For example, consumerization-inspired security methods will have to recognize who has access to data without necessarily relying on the IP address of a specific physical server. It could just as easily be any number of virtual machines or mobile devices from which employees or applications are legitimately trying to gain access.

But although it’s hard work trying to solve security for consumerization (and, to a lesser degree, virtualization), Gillis thinks it’s critical that security vendors and IT departments try to do so. For one, he said, consumerization is going to happen regardless whether companies allow it. In this regard, it’s similar to how Amazon Web Services instances and VMware virtual machines started popping up all over enterprises without consent from above. The best bet, Gillis said, is to embrace the trend and figure out a way to make it secure. It’s “almost absurd” at this point to be the guy who says no, he added.

And when it’s all said and done, companies will likely have happier employees. Gillis noted that employee satisfaction among his team within Cisco skyrocketed when employees were allowed to use their own Macs instead of the company-issued Windows machines, despite the fact that employees had to pay for and service Macs out of their own pockets.

Gillis thinks virtualization might be the trick to solving security for consumerization, but he sees plenty of work still to be done. Right now, he explained, “there’s a gap … that needs to be filled” between delivering enterprise applications to devices via virtual-desktop-like methods and putting a hypervisor right on the device to separate it into a personal VM and a corporate VM. The former creates problems around display and functionality, especially if you’re talking about putting Windows apps on non-Windows devices, and the latter can be a serious performance hindrance, Gillis said.

VMware, which announced a mobile virtualization and application-delivery strategy at VMworld last month, might take some issue with Gillis’s assessment of the situation.

Whatever path companies take to solve these problems, though, Gillis said whoever can do it will be in a good position to lead the security market going forward. It’s like a NASCAR race, he analogized, where we’re heading into a blind corner and whoever best maneuvers it will come out ahead.

Watch live streaming video from mobilize2011 at livestream.com
  1. Yes Tom. “there’s a gap … that needs to be filled”. Consumerization however is not just about mobile and not just about security.

    The lack of a strategic approach to Consumerization creates security risks, financial exposure and a management nightmare for IT. Rather than resist it, organizations should embrace Consumerization to unlock its business potential. This requires a strategic approach, new flexible policies and new security and management solutions.

    Recommended 3-step approach to Cosumerization:

    1. Have a plan. Take a strategic approach to Consumerization and develop a cross-organizational plan. IT cannot do this in a vacuum and will have to engage executives, line of business owners (marketing, sales, HR, product development) as well as customers, partners, and internal early adopters. While planning to adopt new consumer technology, IT managers should survey their most innovative users to discover what devices and applications they like and what they find most useful in their work activities. In this way IT will pull from users’ experience rather than pushing IT views to their base.

    2. Say yes – but not to everything for everyone. Develop a set of policies that clearly define what devices and applications are considered corporate-standard (fully supported by IT) vs. tolerated (jointly supported with the user) vs. deprecated (full user liability). In addition, IT should profile the global workforce based on relevant attributes such as role, line of business and location. And then map technologies to user profiles and define SLAs for each intersection.

    3. Put the right IT infrastructure in place. Deploy appropriate IT solutions specifically designed to secure and manage consumer technology in the enterprise. Be aware that while some offerings have already materialized along the lines of specific product segments, no single vendor can provide one single solution covering all functional requirements across all platforms. As vendors enter the Consumerization space with solutions initially developed for adjacent product segments, most solutions tend to offer overlapping core functionality and to lack the cross-platform support critical to protect and manage the full spectrum of Consumer technologies. IT will have to integrate multiple offerings across different product categories. To name a few: security solutions for Internet content security, mobile antimalware and mobile data protection, Mobile Device Management tools for system provisioning and application management, and Telecom Expense Management for procurement, support and cost control of voice and data services.

    As Consumerization is not just about securing smartphones, several IT solutions already exist to give IT managers visibility and control on specific consumer-technology categories:

    – Desktops, Laptops and Netbooks: employee-owned devices with large screens and traditional operating systems such as Windows can be safely and cost-effectively used for work related activities by relying on VDI – Virtual Desktop Infrastructure – solutions. Plenty of options are available from established VDI vendors such as vmware, Citrix and Microsoft. In addition, to efficiently secure these VDI deployments organizations may look at agent-less solutions such as Trend Micro’s Deep Security that deliver the performance and consolidation ratios necessary to preserve the true ROI of the VDI investment.

    – Tablets and Smartphones: these small screen devices typically run new mobile operating systems such as Apple iOS and Android – soon Windows Phone 7. Traditional VDI doesn’t really cut in this situation. A better approach to embrace the benefits of these devices in the enterprise may involve Mobile Device Management solutions. Many specialists such as Sybase and Good Technology offer best-of-breed point solutions while established security vendors have quickly complemented their corporate suites with similar baseline Mobile Device Management extensions – Symantec, McAfee and Trend Micro among these. Whether the specific solution involves taking complete control of device rather than a containerized approach that limits to enterprise applications and data, the underlying assumption is that IT has the permission from the end-user to install some sort of control mechanism on their personal devices. This may not always be the case. As a complement to traditional Mobile Device Management, some vendors will soon offer innovative agent-less solutions that protect data and infrastructure at the network level and therefore do not require additional user permission or endpoint software – i.e. Trend Micro “Project Butter”.

    – Social Networking, Collaboration and File-Sharing: many popular consumer-grade services such as Facebook, DropBox and Linkedin belong to this category. Again, many enterprise solutions already exist to secure and manage social network activities and internet file sharing. Trend Micro SafeSync for Business and VMware project Octopus are two great examples of enterprise corporate-grade alternative to DropBox. These solutions allow end-users to access files from any device, including smartphones and tablet computers, and share them with people inside and outside the corporate realm while allowing IT managers to get visibility and control.

    Cesare Garlati

    Senior Director Consumerization @ Trend Micro

    More on Consumerization at http://BringYourOwnIT.com

    Share
  2. I think that looking on the bright side; at least this might open up the IT Security budget purse strings that have been so tight since 2008 as companies are finally seeing the need for more personnel in traditional IT Security as I think this will most likely fall in to the “Fully supported by IT” category as Mr. Galarti so eloquently delineated. Heads up job seekers and persons looking for a change of employer! As we should all be getting skill sets ramped up to specialize in this relatively new, exciting, multi facetted field.

    Share

Comments have been disabled for this post